Mobile users who download an antivirus app naturally expect the program to protect their device. But several Android apps analyzed by Check Point Research did the exact opposite. In a report released Thursday, the cyber threat intelligence provider detailed its discovery of six apps in Google Play that appeared to be antivirus software but actually tried to install malware capable of stealing credentials and financial data.
Disguised as genuine antivirus products, the apps in question packed a lethal payload dubbed Sharkbot. Beyond trying to steal sensitive information, this brand of malware attempts to skirt past detection by using various evasion techniques. In particular, it takes advantage of a tactic known as domain generation algorithm. In this scenario, cybercriminals continually create new domain names and IP addresses for their command and control servers, making it difficult for authorities to cut off the connection between the attackers and infected machines.
 Sharkbot works by prompting its victims to enter account credentials in windows that look like legitimate input forms. Any usernames and passwords entered this way are sent to a malicious server where the attackers can use them directly for account compromise or sell them on the Dark Web. The malware also attempts to coax users to grant permission for the accessibility service, allowing it to control the device. From there, the attackers can send out notifications that contain malicious links.
Upon discovering the malicious apps, Check Point informed Google, which removed them from its app store. Four of the apps came from three developer accounts, two of which were active in the fall of 2021. Despite the removal from Google Play, certain apps linked to these accounts remain available in unofficial app stores, a sign that the attacker may be aiming to stay under the radar but still ensnare potential victims.
SEE: Top Android security tips (free PDF) (TechRepublic)
More than 15,000 downloads of the malicious apps were detected by Check Point, mostly targeting the UK and Italy. But by using a geofencing fencing feature to determine a victim’s location, the apps purposely ignored targets in China, India, Romania, Russia, Ukraine and Belarus.
“The threat actor strategically chose a location of applications on Google Play that have users’ trust,” Check Point Software research & innovation manager Alexander Chailytko said in a press release. “What’s also noteworthy here is that the threat actors push messages to victims containing malicious links, which leads to widespread adoption. All in all, the use of push messages by the threat actors requesting an answer from users is an unusual spreading technique. I think it’s important for all Android users to know that they should think twice before downloading any antivirus solution from the Play Store. It could be Sharkbot.”
To help protect individuals and organizations from these types of malicious apps, Check Point provides a few tips:
- Install mobile apps only from trusted and legitimate app stores and publishers.
- If you spot an interesting app from a new or unknown publisher, look for similar apps from more known and trusted publishers.
- Report any suspicious apps to Google.