6 anti-virus apps on Google Play Store steal 15,000 Android users’ data

Sharkbot Android Stealer software made users enter their credentials and stole the user's data.

Highlights
  • Six anti-virus apps on the Google Play Store stole 15,000 users’ data
  • The majority of the victims were from Italy and UK
  • Google has permanently deleted the apps from the Play Store

In an unusual incident, six apps disguised as anti-malware softwares on the Google Play Store, stole sensitive data of around 15,000 Android users. After Google recognised the breach, it permanently removed the apps from the Play Store.

The news comes from a report by Check Point Research, in which three researchers found that hackers used the Sharkbot Android Stealer software, in the guise of antivirus applications, were stealing passwords, bank details and other personal information of users. The apps saw over 15,000 downloads in all on the Play Store.

Show Full Article

“This malware implements a geofencing feature and evasion techniques, which makes it stand out from the rest of malwares. It also makes use of something called domain generation algorithm (DGA), an aspect rarely used in the world of Android malware,” according to the Check Point report.

These apps on Google Play Store stole personal data of users

The six malware apps dressed in antivirus clothes infected over 15,000 users with Sharkbot Android malware, which steals credentials and banking information. During the research, it discovered about 1,000 IP addresses of infected devices. The majority of the victims were from Italy and the United Kingdom.

6 malware apps on the Google Play store

These are the six apps that were found to be corrupted and later removed from the Google Play Store. “Sharkbot doesn’t target every potential victim it encounters, but only select ones, using the geo-fencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus,” said the report.

Sharkbot encourages victims to submit their credentials into windows of what appear to be legitimate credential entry forms. The compromised data is then transferred to hackers when the user inputs credentials in these windows.