SharkBot and Vultur are back on the Play Store! Hidden in infected applications, these dangerous malware record the screen and the information entered to recover bank data and empty accounts.
To seize the money of their victims, the pirates redouble their ingenuity! And, despite Google’s repeated efforts to beef up its security system, the Play Store — the official store for downloading apps on Android — is a great way to do that. Not a week goes by without new infected applications being discovered – which also ends up damaging the image of the Internet giant’s service. This week again, researchers from the cybersecurity specialist ThreatFabric discovered the presence of two well-known malware, SharkBot and Vultur, which steal victims’ bank details in order to empty their accounts. To do this, the malware infiltrated five applications, which accumulated a total of 130,000 downloads. Once installed through a particularly vicious technique, they record keystrokes and transmit screen content in real time. This new campaign targets the banking applications of 231 financial institutions located in France, Italy, the United Kingdom, Germany, Spain, Poland, Austria, the United States, Australia and the Netherlands.
SharkBot and Vultur: malware targeting French banks
The two malwares, which have the same modus operandi, manage to bypass the defenses of the Google Play Store because they are what are called Trojan horses. The infected applications on the official Android store do not contain malware in themselves, they are used to install ShakBot or Vultur afterwards. These are called droppers. They are functional and seemingly harmless but, when the victim goes on them, they ask him for an update via the Play Store. Except that the user lands on a fake page that looks like two drops of water and that opens via the web browser – applications therefore do not need to ask for special permissions. When downloading the supposed update, the browser displays an alert about the installation of an APK file – for Android Package Kit, i.e. all the files allowing you to install an application – but the victim does not take it don’t be careful since she thinks she’s safe on the Play Store! Once on the device, the malware deploys various strategies to manage to seize personal data, and especially banking data: they will record the words typed on the virtual keyboard, display a superimposed window, collect the telephone directory or even intercept all the SMS received – which allows him to seize the codes necessary for the double identification.
SharkBot and Vulture target more than 231 applications worldwide – including in France – and more particularly those of banks and financial services. This is the case for popular online services such as N26, PayPal, Aion Bank, Bunq, or even Revolut, but also for French banks ING France, Crédit Mutuel de Bretagne, BNP Paribas, Boursorama, CIC, Crédit Mutuel, Orange Bank, Hello Ban, Crédit Agricole, LCL, HSBC France, Ma French Bank and Société Générale. Both malware go a step further by also stealing cryptocurrencies by attacking applications intended for crypto-assets, such as exchange platforms – Binance, Crypto.com, Bitfinex, Bitpanda, Bittrex, Bybit, Coinbase, eToro, Gemini , Kraken, etc. – and digital wallets – like MetaMask and BlueWallet for example.
SharkBot and Vultur: five compromised apps on the Play Store
As is often the case, SharkBot and Vultur are installed via everyday applications, such as a file manager, a budget tracker, a code generator for two-factor authentication or a recoverer of deleted PDF files. . Here are the applications compromised by the two malwares:
- Recover Audio, Images & Videos (100,000 downloads)
- Codice Fiscale 2022 (10,000 downloads)
- Zetter Authenticator (10,000 downloads)
- My Finances Tracker (1,000 downloads)
- File Manager Small, Lite (1,000 downloads)
Alerted by ThreatFabric, Google has since removed them from the Play Store. However, if one of them is already present on a mobile device, you must immediately uninstall it and clean the smartphone or tablet, using an antivirus or resetting it. It is also better to change all your passwords and carefully monitor transactions on your bank accounts for a while.
In any case, it is absolutely necessary to remember that it is not because an application comes from the Google Play Store that it presents no risk. Certain signs can arouse vigilance, such as when a developer’s account has only one app, that the confidentiality rules are very short or that there are unnecessary authorizations, for example. When in doubt, it is better to install only the applications you really need, delete those that are no longer used and have an antivirus running in the background to check a second time that malicious behavior is not at work. secret.