In case you missed it, cybersecurity firm ThreatFabric published a report last Friday regarding its discovery of five malicious Google Play apps masquerading as legitimate services, including finance tracking and calculating taxes.
The quintet of apps fall under two relatively new malware families: Vultur and Sharkbot. And yes, they're every bit as vicious as they sound (h/t GreenBot).
The five apps you must remove ASAP
Let's start with the malicious trio of apps that stem from the villainous Vultur family: My Finances Tracker: Budget, C, Zetter Authenticator, and Recover Audio, Images & Videos. The three apps attracted 1,000+, 10,000+ and 100,000+ downloads respectively.
You may be wondering, "What, exactly, is Vultur malware?" According to the cybersecurity report, Vultur was first discovered in July 2021. It's an Android banking trojan that steals personally identifiable information (PII) by recording your screen.
"It is also able to create a remote session on the device using VNC technology to perform actions on the victim's device, effectively leading to On-Device Fraud (ODF)," the ThreatFabric report said.
Interestingly, ThreatFabric discovered a new, concerning modus operandi with the three aforementioned Vultur-injected Google Play apps. Not only does it rely on screen streaming to steal information from unwitting victims, but it also utilizes accessibility logging. In other words, the trio of apps can track your gestures and taps to spy on your data.
If that wasn't creepy enough, ThreatFabric also unveiled its findings regarding two apps under the Sharkbot malware family: Codice Fiscale 2022 and File Manager, Lite. The former app targets Italian users while the latter targets Italian and UK quarries. However, ThreatFabric warns that Android users shouldn't get too comfortable.
"The payload delivered [from Codice Fiscale 2022 and File Manager, Lite] still has banks from Italy, UK, Germany, Spain, Poland, Austria, US, and Australia in its target list," the report said.
What's fearsome about this new Sharkbot iteration is that, unlike previous campaigns, this one slips under the radar more easily because it does not prompt users to accept suspicious, fishy permissions.
When Sharkbot gets its fins on a device, it can steal users' banking account credentials and even slip through multi-factor authentication barriers. Despite Google's policy and security changes, dangerous malware still finds a way to wiggle its way into the Play Store.
"Google Play still remains the most 'affordable' and scalable way of reaching victims for most of the actors of different level," ThreatFabric concluded.
