Malicious apps masquerade as Android file managers to spread malware

A new batch of malicious Android apps have managed to slither their way into the Google Play Store and enjoy more than ten thousand downloads before being removed, experts have warned.

Cybersecurity researchers from Bitdefender recently discovered four such apps: “X-File Manager”, “FileVoyager”, “PhoneAID, Cleaner, Booster 2.6”, and “LiteCleaner M”. Between them, they amassed at least 16,000 downloads, and they were distributing Sharkbot – a known banking trojan malware.

The apps are disguised as utility solutions – three are file management apps, while the fourth one is a memory and phone cleaning app. That way, the researchers suggest, the attackers were hoping not to raise suspicion when the apps start asking for all kinds of permissions. 

Delivering the payload

After all, in order for Sharkbot to steal sensitive banking data, it needs permission to do all kinds of things, overlaying other apps included. Sharkbot operates by laying on top of legitimate banking apps, so that when the user signs in with their login data, the trojan steals it. 

It seems the apps managed to trick Google’s security checks by not actually delivering the malware upon installation. Rather, the app will trigger an “update” at a later stage, which is when the trojan is deployed. 

The victims seem to be mostly people living in the UK and Italy, although the researchers observed the threat actors going after bank accounts of people in Iran, and Germany, as well. 

Although Google removed these apps from its repository as soon as possible, this still doesn’t change the fact that tens of thousands of people have installed these apps on their endpoints, and these people remain at risk. 

Until they completely remove these apps from their devices, and change the passwords to their banking accounts, they will remain a potential victim of identity theft, wire fraud, and other cybercriminal activity.

To protect against such attacks, it would be wise to keep the Play Protect service enabled, and an Android antivirus app active, it was said.

Via: BleepingComputer