He learned about a large-scale cybercrime campaign targeting Android users and bank accounts. More than 130,000 Google Play Store accounts that have downloaded at least one of the five malicious dropper apps were potentially affected.

The company was identified by ThreatFabric analysts in October when they discovered cybercriminals using a “removal” campaign that forced users to update a seemingly safe program and download malware unknowingly via a third-party website.

ThreatFabric discovered that a malware campaign known as Trojan Sharkbot specifically targeted users of Italian banks through the Codice Fiscale program. An installation disguised as a program to calculate the tax code in Italy gets little attention on the Google Play store so as not to look malicious.

However, after the user downloads the app, they are prompted to update it. The program redirects the user to a third-party website with download and installation instructions. There, the malware is downloaded to the user’s device.

Since this method removes the Android user from the app or Google Play Store to download the malware, it is unlikely that the app will be marked as malicious. To date, the program has been downloaded more than 10,000 times. In addition to the above, ThreatFabric discovered another malicious campaign known as Vultur that has been going on all year.