Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime
SharkBot Trojan Spread Via Android File Manager AppsNow-Removed Apps Have 10K Downloads, Target Victims in the UK, Italy
The operators behind banking Trojan SharkBot are targeting Google Play users by masquerading as now-deactivated Android file manager apps and have tens of thousands of installations so far.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Cybersecurity firm Bitdefender says it found applications on Google Play store disguised as file managers and acting "as droppers for SharkBot bankers shortly after installation, depending on the user's location."
"The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to more covert methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware," Bitdefender researchers say.
The apps uncovered by Bitdefender are disguised as file managers and require permission to install external packages, leading to malware downloading.
"As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect," researchers say.
However, the apps are removed for now, and researchers warn that they are still present across the web in different third-party stores, making them a current threat.
Users primarily from the United Kingdom and Italy have downloaded the apps most of the time and a small minority in other countries.
Traditionally, a banking Trojan harvests user credentials and other sensitive financial and personal information stored in a device, to be used in future online frauds or phishing campaigns.
Researchers at Bitdefender uncovered the application X-File Manager from Google Play with over 10,000 installs before it was deleted.
This application installs a SharkBot sample with the label _File Manager and the user is tricked into thinking that an update to the app must be installed.
"The developer profile on Google Play seems to be visible only to users from Italy and Great Britain. Accessing its page without specifying the country code is not possible," researchers say.
Bitdefender also says that multiple users reported about the app and it gained several negative reviews, especially from Italy.
Further analysis of the X-File Manager app, researchers at Bitdefender uncovered that the app required multiple permissions from users that include:
They also found that the application performs anti-emulator checks and targets users from Great Britain and Italy by verifying if the SIM ISO corresponds with IT or GB.
"It also checks if the users have installed at least one of the targeted banking applications on their devices," researchers say. "The application performs a request at URI, downloads the package, and writes the malicious payload on the device."
The dropper, at last, fakes an update for the current application to complete the installation process and asks users to install the dropped APK.
Previous Attack Incidents
This is not the first time when Sharkbot operators used the Google Play store. In September cybersecurity firm Fox-IT uncovered that the operators behind SharkBot were distributing the malware on now-deactivated applications that already have tens of thousands of installations.
The malicious apps, called Mister Phone Cleaner and Kylhavy Mobile Security, have been downloaded 50,000 and 10,000 times Fox-IT said. The malware primarily targeted victims in Spain, Australia, Poland, Germany, the United States and Austria.
Cybersecurity researchers at Cleafy identified the Trojan in October 2021, when the operators targeted banking and crypto service customers in the United Kingdom, Italy and the U.S. via sideloading and social engineering campaigns.
The previous update of the Sharkbot trojan was seen stealing session cookies from victims that include data from when they log into their bank accounts. It detects the action of a victim opening a banking application and performs an additional injection or an overlay attack to steal credentials.