Given how many malware-infected programs have slipped into the Play Store, it’s starting to feel like Google is wasting saliva when it warns people about the dangers of sideloading apps. Six of them were discovered and removed after several login credential-stealing malware masquerading as antivirus apps were discovered.
Check Point security researchers said the six apps had been downloaded more than 15,000 times before Google removed them from its store. Ironically, when users thought they were downloading antivirus software, they were actually installing Sharkbot Android data-stealing malware.
Sharkbot works by convincing victims to enter their credentials in a window that mimics an input form, usually when it detects a banking app is open. It can also steal information by keylogging, intercepting text messages, and gaining full remote access.
Once victims enter their username and password, those details are sent to a malicious server and used to access banking, social media, email, and more accounts. Most of the victims were from the UK and Italy. Interestingly, the malware uses geofencing to specifically identify and ignore users in China, India, Romania, Russia, Ukraine or Belarus.
The apps were able to evade Play Store protections because their malicious behavior wasn’t activated until someone downloaded it and communicated with the server, ZDNet wrote. Sharkbot-infected apps were removed from the Google Play Store in March, although they may still be available in other stores.
Just two weeks ago, researchers at French mobile security firm Pradeo revealed that an app called Craftsart Cartoon Photo Tools contained a version of the Android Trojan malware called Facestealer. It was able to steal mobile users’ Facebook login credentials and was downloaded more than 100,000 times before Google removed them.