Skip to main content

Six 'antivirus' apps were caught spreading malware that steals banking info — here are the culprits

Mobile malware
Mobile malware (Image credit: Getty Images)

Masquerading as innocuous, malware-thwarting platforms, a handful of "antivirus" apps were caught red-handed stealing banking information and other credentials from its users. Check Point Research (CPR) cybersecurity investigators spotted these deceptive apps in the Google Play Store.

CPR discovered more than 1,000 unique IP addresses of infected devices. According to Google Play Store data, however, the six deceptive applications were downloaded more than 11,000 times.

'Antivirus' apps unleash nasty malware called Sharkbot

Sharkbot is the name of the banking malware posing as antivirus solutions; once installed, it snatches Android users' credentials and banking information. According to CPR, Sharkbot baits victims into entering their sensitive data in windows that mimic input forms.

"CPR suspects the threat actors are Russian speaking and warns Android users worldwide to think twice about downloading antivirus solutions," a curious statement for CPR to make considering the ongoing Russia-Ukraine conflict and looming cyberwar threat.

After victims input their information, Sharkbot sends the compromised data to a server. CPR discovered that most victims reside in Italy (62%), followed by the UK (36%). Interestingly, the malicious actors implemented a geofencing feature, ignoring devices in Romania, Russia, Ukraine, Belarus, China and India.

"What’s also noteworthy here is that the threat actors push messages to victims containing malicious links, which leads to widespread adoption. All in all, the use of push-messages by the threat actors requesting an answer from users is an unusual spreading technique," CPR added.

Check Point Research

Check Point Research (Image credit: Check Point Research)

The six malicious apps CPR spotted included "Atom Clean-Booster, Antivirus," "Antivirus, Super Cleaner," "Alpha Antivirus, Cleaner," "Powerful Cleaner, Antivirus," and "Center Security - Antivirus."

Fortunately, CPR notified Google about these misleading apps and the search-engine tech giant removed them from the Play Store.

If you want to ensure that you're downloading legitimate pro-security platforms, check out our best antivirus apps page for well-established, trustworthy solutions for your needs.

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!