The best way to prevent malware from infiltrating your Android phone is to only download apps from the official Play Store. However, no method is foolproof. Malware writers sometimes find a way to hide malware in Google’s repository, at least for a little while. Earlier this year, security researchers spotted a malicious software package called SharkBot spreading on the Play Store. It was eradicated, sure, but now it’s back with a vengeance.
In the early days of the Play Store, Google allowed every app to go live with minimal oversight. Slowly, it intensified its automated and human-assisted checks, making it very difficult to download known malware. Thus, most malware campaigns today attempt to distribute a seemingly harmless application which then downloads a malicious payload. That’s what SharkBot does.
When initially detected in February 2022, the SharkBot dropper ironically claimed to be an antivirus application. It used Android’s Accessibility Service to download and install its malicious code without user interaction, giving creators access to banking information, keystrokes, and even the ability to take complete control of the device. ‘a phone. The latest version even adds functionality to steal login cookies so attackers can gain access to user accounts.
The new dropper does not have the same installation trick. Google has started cracking down on apps that use the Accessibility Service for this reason. The same systems that help people with disabilities use their phones can be hacked to install malware without the user’s knowledge. Now, apps that request accessibility must have a good reason, and Google will start apps that don’t. Instead, the new SharkBot dropper downloads the malware, which masquerades as a fake security update and must be installed by the user.
Since the new dropper cannot use accessibility to do the job, it relies on the user to manually allow unknown sources and install dangerous code. It’s much less likely, but it still happens. The dropper appeared in several listings, including a phone cleaner and a security suite (both now deleted). They have tens of thousands of downloads, so probably at least some of these people followed all the steps to install the malware.
Security Researchers at Fox-It, which detected SharkBot, thinks ongoing development means we can expect it to continue sneaking into the Play Store. If an app asks you to manually install something, you’ll probably want to go the other way and uninstall the whole thing.