The specialists of the Check Point information security company found seven applications disguised as antiviruses in the Google Play Store that infect Android devices with the SharkBot banking Trojan.
The Trojan steals credentials and banking information, and is also equipped with a geo-positioning function and uses other invasive techniques, which distinguishes it from other malware.
SharkBot does not infect users’ devices in China, India, Romania, Russia, Ukraine and Belarus. Before Google removed the malware from its app store, it was downloaded 15 thousand times. Most of the victims are in Italy and the UK.
SharkBot uses Accessibility Services permissions to display fake windows on top of legitimate banking applications. When an unsuspecting user enters his name and password in this fake window disguised as an authorization form, all this data is immediately sent to the server controlled by the attackers.
It is noteworthy that the malware is able to automatically respond to Facebook Messenger and WhatsApp notifications to distribute a phishing link to a fake antivirus application. Thus, SharkBot spreads like a worm.
Recently, Google also removed from the Play Store a number of applications containing spyware that collected user location data.