Android malware

A new collection of malicious Android apps posing as harmless file managers had infiltrated the official Google Play app store, infecting users with the Sharkbot banking trojan.

The apps do not carry the malicious payload upon installation to evade detection when submitted on Google Play but instead fetch it later from a remote resource.

Because the trojan apps are file managers, it’s less likely to raise suspicions when requesting dangerous permissions for loading the Sharkbot malware.

Fake file managers infect Android

Sharkbot is a dangerous malware that attempts to steal online bank accounts by displaying fake login forms over legitimate login prompts in banking apps. When a user attempts to log in to their bank using one of these fake forms, the credentials are stolen and sent to the threat actors.

The malware has constantly been evolving, appearing on the Play Store under various guises or loaded from trojan apps.

In a new report by Bitdefender, analysts discovered the new Android trojan apps disguised as file managers and reported them to Google. All of them have since been removed from the Google Play Store.

However, many users who downloaded them previously may still have them installed on their phones or still suffer from undiscovered remnant malware infections.

The first malicious app is ‘X-File Manager’ by Victor Soft Ice LLC (com.victorsoftice.llc), downloaded 10,000 times via Google Play before Google eventually removed it.

X-File Manager on Google Play
X-File Manager on Google Play (Bitdefender)

The app performs anti-emulation checks to evade detection and will only load Sharkbot on Great British or Italian SIMs, so it’s part of a targeted campaign.

The list of mobile bank apps targeted by the malware is displayed below, but as Bitdefender notes, the threat actors can remotely update this list anytime.

Banks targeted by this Sharkbot campaign
Banks targeted by this Sharkbot campaign (Bitdefender)

Bitdefender’s telemetry data reflects the narrow targeting of this campaign, as most victims of the particular Sharkbot distribution wave are located in the United Kingdom, followed by Italy, Iran, and Germany.

The malicious app requests the user to grant risky permissions like reading and writing external storage, installing new packages, accessing account details, deleting packages (to wipe traces), etc.

However, these permissions appear normal and expected in the context of file management apps, so users are less likely to treat the request with caution.

Sharkbot is fetched as a fake program update, which X-File Manager prompts the user to approve before installing.

The second malicious app that installs the banking trojan is ‘FileVoyager’ by Julia Soft Io LLC (com.potsepko9.FileManagerApp), downloaded 5,000 times via Google Play.

FileVoyager on Google Play
FileVoyager on Google Play (Bitdefender)

FileVoyager features the same operational pattern as X-File Manager and targets the same financial institutions in Italy and the UK.

Another Sharkbot loading app spotted by Bitdefender is ‘LiteCleaner M’ (com.ltdevelopergroups.litecleaner.m), which amassed 1,000 downloads before it got spotted and removed from the Play Store.

Currently, this app is only available via third-party app stores like APKSOS. The same third-party app store hosts a fourth Sharkbot loader named ‘Phone AID, Cleaner, Booster 2.6’ (om.sidalistudio.developer.app).

If these apps are installed, Android users should remove them immediately and change the passwords for any online bank accounts they use.

As the threat actors distributed these apps directly from Google Play, the best way to protect yourself is to keep the Play Protect service enabled so that malicious apps are removed as they are detected.

Furthermore, an Android mobile security antivirus application would help to detect malicious traffic and apps, even before they are reported to Google Play.

Related Articles:

Android malware "FakeCall" now reroutes bank calls to attackers

Over 200 malicious apps on Google Play downloaded millions of times

TrickMo malware steals Android PINs using fake lock screen

New Octo Android malware version impersonates NordVPN, Google Chrome

Google removes Kaspersky's antivirus software from Play Store