This malware strain weaponizes harmless-looking apps—and it’s easily avoidable

Google’s Cybersecurity Action Team (CAT) is warning enterprise managers about Trojan horse-style threats that piggyback on trustworthy-seeming mobile app downloads.

Less than 1% of downloads from the Google Play Store are potentially infected with malware, according to the team’s August report, which cited “versioning” as one technique that tricks Android users into downloading malware—attached to a trusted app—that then infiltrates their devices.

In this category is SharkBot, a banking malware that uses dynamic code loading (DCL), which, the report explains, is when an app “downloads and loads code files from untrusted sources,” deploying malware after the user downloads the app. The program flies under the radar of the Google Play Store with “reduced functionality, a common tactic threat actors use to help their apps look less suspicious to Play Store detection systems,” according to the report.

Once downloaded, the app “later receives an update from a third-party server changing the code on the end user device that enables malicious activity,” the report said. In SharkBot’s case, the malware starts making unauthorized money transfers from the user’s account.

Italian researchers initially identified SharkBot in 2021, and it was first spotted as part of Google Play downloads last year, Bleeping Computer reported. Thousands of people downloaded various malicious SharkBot apps in 2022, according to Bleeping Computer and Bitdefender.

IT managers can ensure their organization doesn’t fall victim to these apps by using allowlists, which limit employee downloads on company devices to preapproved applications. “Limiting the available applications to only trusted developers may significantly reduce the likelihood” of DCL intrusions, the report said.

Another takeaway from the CAT report: Accounts with weak passwords—or no password at all—make up well over half of the “compromise factors” Google identified in the first quarter of this year. Issues with exposed credentials more generally comprised more than 60% of the weaknesses among Google Cloud customers.

These factors could be mitigated “by stronger identity management guardrails in place at the organization level,” the report said.