When you install an app from the Google Play Store, you can be sure that you’re getting it from the safest source around. But as we’ve seen so many times in the past, this isn’t a guarantee that those apps are safe to use.
As reported on the Fox-IT blog, two apps (which have since been removed from the Play Store) managed to get through the usual malware checks and onto tens of thousands of Android phones.
The hackers cleverly outwitted Google’s automatic checks by submitting harmless looking apps which contained no malicious code. It was only when people first launched those apps that they requested an ‘update’ which – if the user approves the request – downloads the Sharkbot malware.
This is a particularly nasty one as it targets your bank password in particular. According to the blog, the apps are using a new version of Sharkbot (seen previously in March 2022) which uses the traditional ‘keylogging’ technique to capture your banking password as you type it in. But it’s also designed to record your bank balance from the app and send it to the hackers along with any login details it has managed to steal.
The two infected apps are ‘Mister Phone Cleaner’ which had been installed by at least 50,000 people, and Kylhavy Mobile Security – a fake antivirus app.
Both dupe users into installing the malware by claiming they need to update themselves. This means they don’t need to ask for dubious permissions when you first install them and, of course, allows them to get through the Google Play Store checks without any issues.
Google was quick to remove the apps, but if you have either or both on your phone, it’s crucial to delete them.
You should also run a virus scan using a genuine antivirus app such as Norton Mobile Security or Bitdefender Mobile Security.
The Fox-IT researchers were able to look at the code and see that this latest version of Sharkbot is targeting a lot more countries than it did back in March:
They also say that the malware targets certain apps and tries to prevent it from allowing the user to sign in with their fingerprint and instead display a username and password form. If it didn’t do that, it wouldn’t be able to steal any login details.
The post also says that it expects more ‘campaigns’ this year, which means more fake antivirus and Android ‘cleaner’ apps appearing in the Play Store that use exactly the same strategy to go undetected.
So, be on the lookout. Just because Mister Phone Cleaner and Kylhavy Mobile Security have been removed, there are likely plenty more of their kind just waiting to be approved in Google Play.
Of course, Sharkbot is far from the first piece of malware to go after your bank details: EventBot did something similar in 2020.
If you’re after an antivirus app or one to clear out junk and free up memory on your phone, be sure you’re installing the genuine article. Be wary of brand new apps with five-star user reviews; these are often fake.
You can find our recommendations for the best Android antivirus.