Android antivirus apps caught spreading their own malware

Google removed a number of bogus Android antivirus apps from the Play Store after discovering that they were being used as a vehicle for distributing malware.

According to cybersecurity experts from Check Point Research, the company responsible for the discovery, at least half a dozen antivirus apps available on the official Android market were used to spread banking malware.

The applications in question are called:

  • Atom Clean Booster, Antivirus
  • Antivirus, Super Cleaner
  • Alpha Antivirus, Cleaner
  • Powerful cleaner, antivirus
  • Center Security – Antivirus (two versions)

These rogue apps carried Sharkbot, a strain of malware that steals passwords and banking information. It shares push notifications and offers fake login prompts, through which users share their credentials with attackers.

Although all have since been removed from the Play Store, Check Point says they remain active in unofficial markets. Android users who had downloaded the apps before they were removed are advised to uninstall them immediately.

Spare the Russians and the Chinese

In just one week of scanning, more than 1,000 unique infected endpoints were identified, with the number increasing by around 100 every day. Figures from Google Play Store show that the malicious apps were downloaded about 11,000 times in total.

The identity of the threatening actor remains unknown, although researchers say they have reason to believe he is of Russian descent. Malware (opens in a new tab) comes with geolocation features, ignoring devices in China, India, Romania, Russia, Ukraine, and Belarus. Most of the victims are in the UK and Italy.

See also  Sony's profit nosedive could mean you can finally get a PS5

The developer accounts that uploaded the apps were Zbynek Adamcik, Adelmio Pagnotto, and Bingo Like Inc. Of the three accounts, two have been active since fall 2021.

However, simply downloading the app will not be enough for threat actors to launch a full-scale attack. The victim still needs to grant the app permissions for accessibility services, which the app will try to trick the victim.

Once the permissions are granted to the application, it will take over most of the functions of the smartphone and can operate freely.

Leave a Comment