Six malicious antivirus apps have been removed from the Google Play app store. For good reason, instead of protecting users against cybercriminals, they were actually used to distribute malware to steal passwords, bank details and other personal information of Android users.
These malicious apps were spotted by Check Point cybersecurity researchers. According to them, they were downloaded from Google’s official app store by more than 15,000 users, who were infected with the Android Sharkbot malware.
Theft of sensitive data
Sharkbot is designed to steal usernames and passwords, tricking victims into entering their credentials into overlay windows that send the information back to attackers. They can then use them to access emails, social networks or, worse, online bank accounts.
The six malicious apps discovered by the researchers aimed to lure Android users looking for antivirus, cleaners and security apps.
It is possible that the victims received phishing links that directed them to the download pages of Sharkbot-infested apps. The apps were able to circumvent Google Play store protections, with the apps’ malicious behavior only being activated once they were downloaded by a user and the app communicated with servers run by the attackers.
Apps always available
“We believe they were able to do this because all the malicious actions were triggered from the C&C server, so the app could remain in an ‘OFF’ state for a test period in Google Play and put it in the “ON” state when it arrived on users’ devices,” Alexander Chailytko, head of cybersecurity, research and innovation at Check Point Software, told ZDNet.
And to estimate that Sharkbot will not infect everyone who downloads it: it uses a geofencing function to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus. Meanwhile, most of the victims who downloaded Sharkbot seem to be in the UK and Italy. After identifying the apps, Check Point reported its findings to Google, which removed the six apps from the Google Play Store.
Although apps infected with Sharkbot have been removed from Google’s official marketplace, they remain actively available on third-party sites, so users may still be tricked into downloading them.
What to do in case of infection?
If you think you have downloaded a malicious application, you should immediately uninstall it, download a legitimate antivirus program to scan your device, and change passwords for accounts that may have been stolen.
When in doubt about what to download or whether an app is legit, user reviews can help clarify things because if the app isn’t legit, the reviews often say so.
Source: ZDNet.com