ZDNet reports that more than 15,000 Android users had their devices infected with the Sharkbot malware after downloading six fake anti-virus apps, all of which have already been removed from the Google Play store.
Users impacted by Sharkbot, which has username- and password-exfiltrating capabilities, may have been sent phishing links to download the malicious apps, which had evaded Google-set protections as malicious activity was only triggered by user downloads, according to Check Point researchers.
"We think that they were able to do it because all malicious actions were triggered from the C&C server, so the app could stay in the "OFF"-state during a test period in Google Play and turn "ON" when they get to the users' devices," said Check Point Software Cybersecurity, Research, and Innovation Manager Alexander Chailytko.
Most of the users affected by Sharkbot were based in the UK and Italy while the malware did not infect users from Russia, Ukraine, Belarus, China, Romania, and India.