The operators behind banking Trojan SharkBot are targeting Google Play users by masquerading as now-deactivated Android file manager apps and have tens of thousands of installations so far.
Cybersecurity firm Bitdefender says it found applications on Google Play store disguised as file managers and acting “as droppers for SharkBot bankers shortly after installation, depending on the user’s location.”
“The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to more covert methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware,” Bitdefender researchers say.
The apps uncovered by Bitdefender are disguised as file managers and require permission to install external packages, leading to malware downloading.
“As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect,” researchers say.
However, the apps are removed for now, researchers warn that they are still present across the web in different third-party stores, making them a current threat.