There are more apps now to look out for in the Google Play app store. These apps are said to hide behind the false premise of managing files. It will then infect devices with the Sharkbot banking trojan later on. The apps will not appear harmful upon download which makes it harder to detect malicious activity.
What to Watch Out For
As of writing, the apps are no longer available on the Google Play app store, but that doesn't mean that there are no similar apps out there. On another note, some users may still have the app installed on their devices, and it is recommended to uninstall these apps immediately. There are several apps detected by BitDefender upon research.
One of those is "X-File Manager" which is developed by Viktor Soft Ice LLC, and managed to get around 10,000 downloads before being taken down. A series of anti-emulation checks are done to avoid detection, according to reports. It seems to load the Sharkbot malware to specific users, like those using Great British or Italian SIMs. The distribution of the Sharkbot trojan affects people from the UK, Italy, Iran, and Germany.
The app will request permissions that will seem like standard procedure due to the nature of the app, which grants the threat actor access to sensitive data. These permissions appear in the form of reading and writing external storage, installing new packages, and accessing account details. It may also delete packages to avoid being traced.
The other malicious app is the "FileVoyager" which is developed by Julia Soft lo LLC. It has been downloaded 5,000 times before being taken down. It also targets users in areas like the UK and Italy. Even if the app only got 1,000 downloads before being removed, another app called "LiteCleaner M" still poses a threat to its users, so it's best to remove the app as soon as possible.
Why They're Dangerous
These apps seem legitimate in the beginning, but then it requests permission to install external packages. Unbeknownst to the user, they are actually downloading Sharkbot bankers. It will then write a payload on the device, and shows a fake update prompt wherein targets are asked to install an APK.
The Sharkbot malware will try and steal your bank information, by showing login forms that appear as if they came from banking apps, as mentioned by Bleeping Computer. The credentials entered on the form will then be sent to the threat actors, successfully stealing your bank information. If you have experienced this, make sure to update your bank and account passwords immediately.
The app itself will check if users have other banking apps that are included in its list. The said list of banks has been found in a series of codes, which also affects other financial services. Although BitDefender uploaded a list, the threat actors can easily update their assets remotely. Here are the following detected as of late, according to the site.
Package name: | Financial institution: |
com.barclays.android.barclaysmobilebanking | Barclays |
com.bankofireland.mobilebanking | Bank of Ireland Mobile Banking |
com.cooperativebank.bank | The Co-operative Bank |
ftb.ibank.android | AIB (NI) Mobile |
com.nearform.ptsb | permanent tsb |
uk.co.mbna.cardservices.android | MBNA Mobile App |
com.danskebank.mobilebank3.uk | Mobile Bank UK - Danske Bank |
com.barclays.bca | Barclaycard |
com.tescobank.mobile | Tesco Bank and Clubcard Pay+ |
com.virginmoney.uk.mobile.android | Virgin Money Mobile Banking |
com.cooperativebank.smile | "smile - the internet bank" |
com.starlingbank.android | Starling Bank - Mobile Banking |
uk.co.metrobankonline.mobile.android.production | Metro Bank |
uk.co.santander.santanderUK | Santander Mobile Banking |
uk.co.hsbc.hsbcukmobilebanking | HSBC UK Mobile Banking |
uk.co.tsb.newmobilebank | TSB Mobile Banking |
com.grppl.android.shell.BOS | Bank of Scotland Mobile App |
com.grppl.android.shell.halifax | Halifax Mobile Banking |
com.grppl.android.shell.CMBlloydsTSB73 | Lloyds Bank Mobile Banking |
it.copergmps.rt.pf.android.sp.bmps | Banca MPS |
it.extrabanca.mobile | NewExtraMobileBank |
it.relaxbanking | RelaxBanking Mobile |
it.bnl.apps.banking | BNL |
it.bnl.apps.enterprise.hellobank | Hello Bank! |
it.ingdirect.app | ING Italia |
it.popso.SCRIGNOapp | SCRIGNOapp |
posteitaliane.posteapp.appbpol | BancoPosta |
com.latuabancaperandroid | Intesa Sanpaolo Mobile |
com.latuabancaperandroid.pg | Intesa Sanpaolo Business |
com.latuabancaperandroid.ispb | Intesa Sanpaolo Private |
com.fineco.it | Fineco |
com.CredemMobile | Credem |
com.bmo.mobile | BMO Mobile Banking |
com.fideuram.alfabetobanking | Alfabeto Banking |
com.lynxspa.bancopopolare | YouApp - Mobile Banking |
com.vipera.chebanca | CheBanca! |
