Once again scammers are getting creative in findings way to get their fake and malicious apps on Google Play. Unsuspecting users install said apps with false sense of security since the apps is offered on Google Play it must be safe (which in most case is true). In the past, most of these malicious apps were more of an annoyance serving adware and performing (ad) click fraud. However, these new fake Android ‘File Manager’ apps are a lot more serious and dangerous. These apps are “clean” when they are uploaded to Google Play, but once install will later ‘phone home’ to fetch and install a Sharkbot banking trojan. Worse yet, since these are ‘File Manager’ apps, users are not going to question the elevated permissions the apps are asking users to approve.
Sharkbot is a dangerous malware that attempts to steal online bank accounts by displaying fake login forms over legitimate login prompts in banking apps. When a user attempts to log in to their bank using one of these fake forms, the credentials are stolen and sent to the threat actors.
The malicious app requests the user to grant risky permissions like reading and writing external storage, installing new packages, accessing account details, deleting packages (to wipe traces), etc.
Yet another reason I don’t use mobile banking, I just feel safer doing my banking on a traditional PC. Plus since I don’t have mobile data, I wouldn’t want to use mobile banking over a public Wi-Fi anyway. While, most banks do not hold you reopenable for fraud and usually refund you money in case of fraud (except Zelle) it is still a major hassle. It is bad enough having a credit card compromised (been there, done that), but a bank account is going to be far worse. Not just the temporary loss of funds (and ‘bounced’ payments), but having to update bill pays (such as those used to pay your credit card each month) and direct deposits (payrolls, pensions, disability, social security, etc.) Granted it is not as bad it was in the past now with so few people using checks anymore and many banks issuing new debit cards on the spot at their local branches.
Check your devices to see if you may have installed any of the below fake Android ‘file manager’ apps. If they are installed, stop using and remove it immeditlly.
- ‘X-File Manager’ by Victor Soft Ice LLC (com.victorsoftice.llc), downloaded 10,000 times via Google Play before Google eventually removed it.
- ‘FileVoyager’ by Julia Soft Io LLC (com.potsepko9.FileManagerApp), downloaded 5,000 times via Google Play.
- ‘LiteCleaner M’ (com.ltdevelopergroups.litecleaner.m), which amassed 1,000 downloads before it got spotted and removed from the Play Store. (also found on third-party app store APKSOS)
- ‘Phone AID, Cleaner, Booster 2.6’ (om.sidalistudio.developer.app). (found only on third-party app store APKSOS)
While three out of four were hosted on Google Play, they were removed once detected. However, #3 is still out in the wild on those third-party app stores. Unfortunately, you are not going to be 100% safe by always installing only from Google Play, but still much safer than installing blindly from third-party app stores. You can add another layer of protection by ensuring your devices are using Google Play Protect (if they are certified they will be by default unless the user deactivates the feature).
