Cyber Security

SharkBot malware hides as Android antivirus in Google Play

SharkBot banking malware has infiltrated the Google Play Store, the official Android app repository, posing as an antivirus with system cleaning capabilities.

Although the trojan app was far from popular, its presence in Play Store shows that malware distributors can still bypass Google’s automatic defenses. The app is still present in Google’s store at the moment of writing.

The laced Android application that carries SharkBot
Publisher details on the Play Store

SharkBot was discovered in Google Play by researchers at the NCC Group, who today published a detailed technical analysis of the malware.

What can SharkBot do?

The malware was first discovered by Cleafy in October 2021. Its most significant feature, which set it apart from other banking trojans, was transfering money via Automatic Transfer Systems (ATS). This was possible by simulating touches, clicks, and button presses on compromised devices.

NCC reports that the money transfer feature is still available in the latest version but used only in some cases of advanced attacks.

The four primary functions in SharkBot’s latest version are:

  • Injections (overlay attack): SharkBot can steal credentials by showing web content (WebView) with a fake login website (phishing) as soon as it detects the official banking app opened
  • Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text fields changes and buttons clicked) and sending these logs to the command and control server (C2)
  • SMS intercept: Sharkbot can intercept/hide SMS messages.
  • Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device (via Accessibility Services).

To perform the above, SharkBot abuses the Accessibility permission on Android and then grants itself additional permissions as needed.

This way, SharkBot can detect when the user opens a banking app, performs the matching web injections, and steals the user’s credentials.

The malware can also receive commands from the C2 server to execute various actions such as:

  • Send SMS to a number
  • Change SMS manager
  • Download a file from a specified URL
  • Receive an updated configuration file
  • Uninstall an app from the device
  • Disable battery optimization
  • Display phishing overlay
  • Activate or stop ATS
  • Close a specific app (like an AV tool) when the user attempts to open it

Replying to notifications

One of the notable differences between SharkBot and other Android banking trojans is the use of the relatively new components that leverages the ‘Direct reply’ feature for notifications.

SharkBot can now intercept new notifications and reply to them with messages coming directly from the C2.

The code for the auto-reply function (NCC Group)

As noted in the NCC report, SharkBot uses this feature to drop feature-rich payloads onto the compromised device by replying with a shortened Bit.ly URL.

The initial SharkBot dropper app contains a light version of the actual malware to reduce the risk of detection and app store rejections.

Through the ‘auto reply’ feature, a fully-fledged version of SharkBot featuring ATS is fetched directly from the C2 and installed automatically on the device.

Decrypted C2 response commanding the download of the payload (NCC Group)

The C2 relies on a DGA (domain generation algorithm) system that makes it more difficult to detect and block the SharkBot command-issuing domains.

To protect yourself from dangerous trojans like SharkBot, never blindly trust any apps on the Play Store, and try to keep installed apps on your device at a minimum.

If you’re looking for an Android antivirus, there are several trustworthy vendors who offer their tools for free.

Source: https://www.bleepingcomputer.com/news/security/sharkbot-malware-hides-as-android-antivirus-in-google-play/

Click to comment

You May Also Like

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

Spywares are software that is used as a surveillance application to collect sensitive information from victims and send it to the person who installed the application....

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

DoNot APT Hackers Deploy Android Malware Apps on Google Play, Under the account name “SecurITY Industry,” the CYFIRMA team successfully identified dubious Android apps...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version