The Android banking scam malware known as SharkBot has reared its head again in the official Google Play Store, posing as a file manager to bypass app marketplace restrictions.
A majority of the users who downloaded the rogue apps are located in the UK and Italy, Romanian cybersecurity firm Bitdefender said in an analysis published this week.
SharkBot, first discovered by Cleafy in late 2021, is a recurring mobile threat that is proliferating on both the Google Play Store and other third-party app stores.
One of the Trojan’s main goals is to initiate money transfers from compromised devices via a technique called “Automatic Transfer System” (ATS), where a transaction initiated via a banking app is intercepted to convert the payee’s account to an actor-controlled one Exchange account the background.
It is also able to provide fake login overlay when users try to open legitimate banking apps, stealing credentials in the process.
Often, such apps offer seemingly harmless features that masquerade as antivirus software and cleaners to sneak into the Google Play Store. But they also act as droppers which, once installed on the device, can pull the malware payload.
The dropper apps now removed are below –
- X-File Manager (com.victorsoftice.llc) – Over 10,000 downloads
- FileVoyager (com.potsepko9.FileManagerApp) – 5,000+ downloads
- LiteCleaner M (com.ltdevelopergroups.litecleaner.m) – over 1,000 downloads
LiteCleaner M can still be downloaded from a third-party app store called Apksos, which also hosts a fourth SharkBot artifact called “Phone AID, Cleaner, Booster” (com.sidalistudio.developer.app).
The X-File Manager app, which was only accessible to users in Italy, attracted over 10,000 downloads before it was removed. With Google constantly cracking down on permission abuse, the attacker’s decision to use a file manager as bait is not surprising.
That’s because Google’s developer program policy limits permission to install external packages (REQUEST_INSTALL_PACKAGES) to a handful of app categories: web browsers, instant messengers that support attachments, file managers, corporate device management, backup and restore, and device transfer.
This permission is invariably abused to download and install malware from a remote server. Some of the targeted banking apps are Bank of Ireland, Bank of Scotland, Barclays, BNL, HSBC UK, Lloyds Bank, Metro Bank and Santander.
“The application [i.e., the dropper] runs anti-emulator checks and targets UK and Italy users by checking if the SIM ISO matches IT or GB,” according to Bitdefender researchers.
Users who have the above apps installed are advised to delete them and change their bank account passwords immediately. Users are also advised to turn on Play Store Protect and check app ratings and reviews before downloading.