SharkBot Trojan in the Play Store – "Antivirus apps" risk

[German]The SharkBot banking Trojan has reappeared in the Google Play Store, disguised as an antivirus and cleaner app. Security researchers from CyberNews write: Android users should think twice before downloading free apps to clean their phones and "protect" them from viruses – because many of them contain data trackers and some even appear to include links to potentially malicious domains.


SharkBot Trojan in the Play Store

Fox-It had already discovered the SharkBotDropper in the Google Play Store in February 2022. The Trojan posed as a fake Android antivirus and cleaner. Now the security researchers have discovered a new version of this dropper in the Google Play Store.

Mister Phone Cleaner - SharkBot Trojan

This new dropper does not rely on permissions to automatically install the Sharkbot malware dropper, security researchers say. Instead, this new version of the Trojan asks the victim to install the malware as a fake update for the antivirus program in order to stay protected from threats.

Kylhavy Mobile Security - SharkBot Trojan

Security researchers have found two SharkbotDopper apps in the Google Play Store, installed 10,000 and 50,000 times respectively. The apps in question, "Mister Phone Cleaner" and "Kylhavy Mobile Security," have a combined 60,000 installs and primarily target users in the UK, Italy, Spain, Australia, Poland, Germany, the US, and Austria.


The key new finding is that the two attack apps use a less sophisticated approach than the previously detected SharkBot activity to evade detection in the Play Store. A "clean" app is installed from the Play Store as a "phone cleaner." Later, an "update of an antivirus package" is suggested from the app. The cybercriminals rely on the user to unknowingly allow the malicious package to be installed instead of trying an automatic installation on the user's device. By doing so, they cybercriminals hope to prevent the attack program's code from being scrutinized in more detail.

In addition to containing relatively little malicious code, these apps also use localization checks to keep themselves inconspicuous. Attempts to drop the malicious package are limited to those devices that match the victim's actual profile. Hank Schless from Lookout is therefore currently also warning about attacks on Android smartphones with the SharkBot banking Trojan.

We are seeing a resurgence of the SharkBot malware. It appears that the actors behind this malware continue to intend to steal banking data and customer information while expanding their activities to banks in more countries. With the two covert apps in question and the SharkBot malware package itself, users in the aforementioned countries are now also at risk.

Lookout writes in this regard: Mobile device users should never download apps that are not offered in Google Play or the iOS App Store. But as these two mentioned attacker apps prove, malware can bypass Apple and Google security mechanisms. Therefore, users should reject all prompts to install or update packages from other unknown sources. If an app asks you to update it without being redirected to the official Play Store, it should definitely not be trusted. The new case of SharkBot also points out how malware evolves and can resurface with more advanced features.

Risk antivirus and cleaner apps

Apart from the banking Trojan above, there is a general danger lurking in apps that they contain malicious functions. I received this information from Cybernews back in May 2022.  Security researchers from CyberNews examined 40 cleaning and antivirus apps that were most frequently installed in the Google Play Store. They found that free cleaning and antivirus apps put their users at risk of a hacking attack.

  • Almost all of the apps studied contained trackers, with the number varying from a handful to thirty in the case of Nova Security.
  • Shockingly, only Super Antivirus and Virtual Guard were completely free of data tracking, raising serious privacy concerns for Android users of free cleaning apps.
  • Thirteen of the apps were deemed so harmful to privacy that they received the lowest score in the team's security ranking due to "questionable coding practices."
  • The antivirus app Keep Cleaner fared the best, scoring only 54 out of a possible 100 for security.
  • In last place was Safe Security Antivirus Booster and Phone Cleaner, with a miserable score of nine.

The results are especially worrying considering that the two aforementioned apps have more than 100 million registered downloads each.

Why is using free cleaning apps dangerous?

Many of the free options available come with a hidden price: user data is tracked, sold, or simply managed insecurely due to questionable coding and privacy practices of the app developers. Android users should think twice before downloading free apps to clean and "protect" their phones from viruses – because many of them contain data trackers and some even appear to have links to potentially malicious domains, according to the Cybernews research team, which published its findings here (as of August 2022).

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *