These Antivirus Apps On Google Play Aren’t What They Seem With Sinister Malware On Board

Always be wary of installing apps on your mobile device, regardless of where that app comes from. Many people use their mobile devices for banking and other financial transactions, because they're always with us, always connected, and easy to use. Unfortunately, because of their ubiquity and ease of use, mobile phones have also become a very popular target for viruses and other malware.

Thanks to the researchers at CheckPoint Software Technologies Ltd., a security-focused development and research firm, we now know of six apps that claimed to be anti-virus or anti-malware utilities on the Google Play Store, that were carrying malicious payloads. including Sharkbot. The shady apps, downloaded approximately 15,000 times, are as follows.

• Atom Clean-Booster, Antivirus
  • Published by Zbynek Adamcik
• Antivirus, Super Cleaner
  • Published by Zbynek Adamcik
• Alpha Antivirus, Cleaner
  • Published by Adelmia Pagnotto
• Powerful Cleaner, Antivirus
  • Published by Adelmio Pagnotto
• Center Security - Antivirus
  • Published by Bingo Like Inc.
• Center Security - Antivirus
  • Published by Bingo Like Inc.

Note that two have the same name, however, they are listed with different icons in the Google Play Store.

Sharkbot itself utilizes several tricks to try to steal a user's banking information. Such as pop-overs, where it will detect common banking apps or websites and pop up its version of the login panel to steal login information. It can also interact with text messages, so if you have 2-factor authentication turned on to text message mode it can potentially read those messages. It can change the SMS manager, allowing it to handle all text messages itself. It can grab notifications, read your contact list, uninstall apps, and attempt access through accessibility services. It even can turn off battery optimization to allow itself to continue running in the background. These are just a few of the nasty things this malware is capable of.

This particular variation on the Sharkbot malware, according to ChekPoint, also includes a function known as a "Domain Generation Algorithm" or DGA. The purpose of DGA is to generate new domains for the app to communicate back to its command-and-control server, making it harder to track. According to CheckPoint, the DGA feature was generating seven new domains per week, or roughly one a day.

Another nasty thing about this particular malware, and sometimes the apps that package them, is a function called a "Dropper". A dropper is a method in which an app will claim to need an update, and push users to a shady website to get even more malware. Sometimes the malware will try this over existing banking apps, other times it will just throw itself on top of the starting app that installed the malware in the first place.


To protect yourself it is best to only install apps from a trusted source. If a publisher is new, double-check for another similar app, check reviews, and perform a web search for the app to see if anyone has reported trouble, as malware distributors often try to trick users into installing their apps by looking like a legitimate version. If you have concerns about an app being malware, you can also report via the Play Store. It is also worth noting that the latest security update to Android 12 does try to mitigate some of the features that the Sharkbot malware attempts to take advantage of, such as utilizing handicap assistance modes to bypass security layers. CheckPoint's full detailed research on the malware is available to read here.