At least 15,000 Android users downloaded anti-malware apps from the Google Play Store which, instead of protecting them from hackers, infected their devices to steal passwords, bank details and other personal information, a new report showed on Thursday.

The six malware apps in the disguise of anti-virus apps have now been removed by Google from Play Store but the damage was done.

According to cyber security researchers at Check Point, the apps infected over 15,000 users with Sharkbot Android malware which steals credentials and banking information.

“This malware implements a geofencing feature and evasion techniques, which makes it stand out from the rest of malware. It also makes use of something called domain generation algorithm (DGA), an aspect rarely used in the world of Android malware,” according to the Check Point report.

Buy Me A Coffee

It identified approximately 1,000 unique IP addresses of infected devices during the time of analysis. Most of the victims were from Italy and the UK.

Sharkbot lures victims to enter their credentials in windows that mimic benign credential input forms. When the user enters credentials in these windows, the compromised data is sent to a malicious server.

“Sharkbot doesn’t target every potential victim it encounters, but only select ones, using the geo-fencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus,” said the report.

“Overall, we saw over 15,000 downloads of these apps from Google Play,” it added.

Understanding Spear Phishing: The Personalized Cyber Threat

Threat actors are evolving and constantly seeking ways to inject and drop malware at any means possible, including disguising as legitimate “official” apps.

After examining the apps, Google proceeded to permanently remove these applications on Play store.