Variants of the SharkBot banking trojan were identified in multiple file manager Android applications on the Google Play Store, some of them with thousands of downloads.
The majority of users who downloaded the trojanized apps were located in the U.K. followed by Italy, Iran, and Germany, security researchers at Bitdefender said in an analysis published this week.
"The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals’ resort to more covert methods," reads the advisory. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware."
This was the case with multiple file manager apps, which were disguised as such to justify the request for permission to install external packages from the user.
The permissions asked by trojanized apps included READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, GET_ACCOUNTS, REQUEST_INSTALL_PACKAGES, QUERY_ALL_PACKAGES, and REQUEST_DELETE_PACKAGES.
"Of course, that permission is used to download malware," the researchers wrote. "As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect."
While the applications identified by the researchers are no longer available on the Play Store, they can still be downloaded via multiple third-party stores, making them a huge threat.
The first app examined by the researchers was 'X-File Manager,' designed by 'Viktor Soft ICe LLC' and counting over 10,000 installs before it was taken down by Google. 'FileVoyager' was the second one, manufactured by 'Julia Soft Io LLC' with nearly 5,000 downloads.
The researchers discovered two more apps following an identical methodology, but they were never present on the Google Play store. They are called 'Phone AID, Cleaner, Booster' and 'LiteCleaner M' and were identified on the web via third-party app stores.
The advisory published by the Bitdefender team comes weeks after threat analysts at Cleafy indicated the Android banking Trojan Vultur has reached more than 100,000 downloads on the Google Play Store.
Users who have downloaded the malicious apps are advised to delete them and change their bank account passwords immediately. Additionally, users are recommended to enable Play Store Protect and scan app ratings and reviews before downloading them.