SharkBot Malware Found in Android File Manager Apps With Thousands of Downloads

Variants of the SharkBot malware were found in several file manager Android apps on the Google Play Store, some of them with thousands of downloads.

While the apps have now been taken down by Google, security researchers at Bitdefender published an advisory earlier this week to describe the threat.

"The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to more covert methods," reads the technical write-up.

"One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware."

This was the case with several file manager apps, which were disguised as such to justify the request for permission to install external packages from the user.

"Of course, that permission is used to download malware," Bitdefender wrote. "As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect."

Additionally, while the apps discovered by the team are no longer available on the Google Play Store, they can still be found in different third-party stores, making them a current threat.

The first analyzed by the Bitdefender team was 'X-File Manager,' developed by 'Viktor Soft ICe LLC' and counting over 10,000 installs before it was deleted. 'FileVoyager' was the second one, created by 'Julia Soft Io LLC' and counting roughly 5,000 downloads.

Bitdefender found two more apps following the same pattern, but they were never available on the Google Play store. They are called 'Phone AID, Cleaner, Booster' and 'LiteCleaner M' and were discovered on the web through third-party app stores.

The majority of users who downloaded the malicious apps were from the United Kingdom (80.6%) and Italy (16.2%), with a small minority in other countries.

More information about each individual malware app is available in the Bitdefender advisory. Its publication comes weeks after cybersecurity experts at Cleafy suggested the Android banking Trojan Vultur has reached more than 100,000 downloads on the Google Play Store.

What’s Hot on Infosecurity Magazine?