Antivirus apps on the Google Play Store spread banking malware

Searching for checkpoints (CPR), the division Threat Intelligence from Check Point Software Technologies, found six applications on Google Play Store they spread banking malware posing as antivirus solutions.

Known as sharkbotthe malware steals credentials and banking information.

Check Point Research counted over 1,000 unique IP addresses of infected devices, especially in Italy.

However, Google Play Store data indicates that malicious apps have been downloaded over 11,000 times.

Sharkbot lures its victims with push notifications, tricking users into entering credentials when filling out forms. When the user enters their credentials in these windows, I Compromised data is sent to a malicious server.

Searching for checkpoints

Check Point Research suspects attackers are Russian-speaking and warns Android users to Be very careful also in the download of antivirus solutions, which should protect them from viruses themselves.

CPR announced that the 62% of the victims were found in Italy; 36% in the UK, 2% in other countries.

The hackers implemented a geolocation feature, which ignores users in China, India, Romania, Russia, Ukraine or Belarus.

Check Point Research responsibly reported the results to Google, which Remove it application harmful.

Searching for checkpoints

Four of these apps were from three developer accounts, Zbynek Adamcik, Adelmio Pagnotto, and Bingo Like Inc.

When Check Point Research checked the history of these accounts, it found that two of them were active in the fall of 2021. Some of the apps linked to these accounts have been removed from Google Play, but still exist in marketplaces. unofficial.

It could mean that the actor behind the apps is trying not to attract attention while engaging in malicious activities.

The attack methodology is to trick the user into granting permissions to the accessibility service for the application. After that, the malware takes control of a large part of the victim's device.

Cyber ​​criminals can also send push notifications to victims, containing malicious links.

Read all our cybersecurity articles

Leave a Reply

Your email address will not be published.

Go up