SharkBot Malware Reappears in the Google Play Store

SharkBot Malware Reappears in the Google Play Store

The best way to prevent malware from creeping onto your Android phone is to only download apps from the official Play Store. However, no method is foolproof. Malware creators occasionally find a way to hide malware in Google’s repository, at least for a little bit. Earlier his year, security researchers spotted a malicious software package called SharkBot spreading through the Play Store. It was stamped out, of course, but now it’s back with a vengeance.

In the early days of the Play Store, Google would allow every app to go live with minimal oversight. Slowly, it has ratcheted up its automated and human-powered checks, which makes it very difficult to upload a known piece of malware. So, most malware campaigns today attempt to distribute a seemingly innocuous app that then downloads a malicious payload. That’s what SharkBot does.

When originally detected in February 2022, SharkBot dropper was ironically pretending to be an antivirus app. It used Android’s Accessibility service to download and install its malicious code without user interaction, giving the creators access to banking information, keystrokes, and even the ability to take over a phone completely. The latest version even adds a feature to steal login cookies so the attackers can access user accounts.

The new dropper doesn’t have the same installation trick. Google has started cracking down on apps that use the Accessibility service for exactly this reason. The same systems that help disabled people use their phones can be hijacked to install malware without the user’s knowledge. Now, apps that call for Accessibility need to have a good reason, and Google will boot apps that don’t. Instead, the new SharkBot dropper downloads the malware, which masquerades as a fake security update and has to be installed by the user.

SharkBot Malware Reappears in the Google Play Store

Since the new dropper can’t use Accessibility to get the job done, it relies on the user to manually allow unknown sources and install the dangerous code. That’s much less likely, but it still happens. The dropper popped up in several listings, including a phone cleaner and a security suite (both now deleted). They have tens of thousands of downloads, so probably at least some of those people went through all the steps to install the malware.

Security researchers at Fox-It, who detected SharkBot, believe that the ongoing development means we can expect it to continue sneaking into the Play Store. If any app asks you to manually install something, you probably want to go the other way and uninstall the whole thing.

Continue reading

Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal
Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal

Known simply as 2FA Authenticator, the app picked up more than 10,000 installs until security researchers identified it as a vehicle for trojan-dropper malware.

Clever Malware Masquerades as Windows 11 Installer
Clever Malware Masquerades as Windows 11 Installer

A Russian website disguised as an official Microsoft page is distributing an "upgrade installer" that won't get you Windows 11. What it will get you is a bunch of malware.

Researchers Devise Malware That Runs When an iPhone is Powered Off
Researchers Devise Malware That Runs When an iPhone is Powered Off

The iPhone's low-power mode allows users to access Express cards and locate lost devices even when the phone is turned off—but it also presents a concerning security vulnerability.

Google Warns of Sophisticated Malware Distributed With The Help of ISPs
Google Warns of Sophisticated Malware Distributed With The Help of ISPs

According to Google's Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn't change the fact its software is being used to breach user privacy.