A new variant of SharkBot, the Android banking trojan that manages to bypass control systems and steal financial information from unsuspecting victims, has been identified.

In a new report by Bitdefender, analysts have reportedly identified several apps on the Google Play Store passed off as file managers for Android that would actually act as droppers for the release of a new variant of the SharkBot banking trojan, a malware capable of stealing financial data and allowing attackers to display fake login forms on affected devices with overlay techniques over legitimate banking app login requests.

The credentials entered on these fake forms would actually be captured and sent to the threat actors.

Here are the names of the incriminated apps:

  • X-File Manager, with more than 10,000 downloads;
  • FileVojager, with more than 5,000 downloads;
  • LiteCleaner M, with more than 1,000 downloads;
  • Phone AID, Cleaner, Booster

How Sharkbot works?

The application executes a request to the URI, downloads the package and writes the malicious payload to the device. The dropper simulates an update of the current application to complete the installation and prompts the user to install the released APK.

Although analysts have responsibly reported the discovery to Google Play prior to their disclosure, some of these apps are still found to be available on third-party app stores, and many among the users who downloaded them earlier may still have them installed on their smartphones with all the attendant consequences.

It would also be desirable for financial organizations to also take any proactive action to protect their customers and promptly initiate reporting procedures if they detect even indirect involvement of their apps in fraudulent activities.