SharkBot malware plays ‘hide and seek’ as an Android antivirus in Google Play Store
March 6th, 2022 - Written By CyberLabs
SharkBot banking malware has infiltrated the Google Play Store, the official Android app repository, pretending to be an antivirus with system cleaning capabilities. Although this trojan app was far from popular, the fact that it can enter and be present in the Google play store showcases that malware distributors and threat actors can still dodge Google’s automatic defenses. Unfortunately this app is still present in the plat store at the moment of writing.
SharkBot was thankfully discovered in Google Play by a set of researchers at the NCC Group, who published a detailed technical analysis of the malware.
What can it do?
SharkBot was first discovered by Cleafy in October 2021. It’s most prominent feature, which actually highlights it from other banking trojans, was transferring money via Automatic Transfer Systems (ATS). This has been possible by simulating touches, clicks, and button presses on compromised devices.
NCC’s report states that the money transfer feature is also still available in the latest version but used only in some cases of an advanced attack.
Take a look at the 4 primary functions in SharkBot’s latest version:
- Injections (overlay attack): The malware can steal credentials by showing web content (WebView) with a fake login website (phishing) as soon as it detects the official banking app opened
- Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text fields changes and buttons clicked) and sending these logs to the command and control server (C2)
- SMS intercept: Sharkbot can intercept/hide SMS messages.
- Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device (via Accessibility Services).
To perform the above, The malware abuses the Accessibility permission on Android after which grants itself additional permissions as needed. SharkBot can detect when the user opens a banking app, performs the matching web injections, and steals the user’s credentials.
The malware can also receive commands from the C2 server to execute various actions such as:
- Send SMS to a number
- Change SMS manager
- Download a file from a specified URL
- Receive an updated configuration file
- Uninstall an app from the device
- Disable battery optimization
- Display phishing overlay
- Activate or stop ATS
- Close a specific app (like an AV tool) when the user attempts to open it
Replying to notifications
One of the significant differences between SharkBot and other Android banking trojans is the use of the relatively new components that leverages the ‘Direct reply’ feature for notifications. It can now intercept new notifications and reply to them with messages coming directly from the C2. As discussed NCC’s report, SharkBot uses this feature to drop feature-rich payloads onto the compromised device by replying with a shortened Bit.ly URL. The initial Malware dropper app contains a light version of the actual malware to reduce the risk of detection and app store rejections. Through the ‘auto reply’ feature, a fully-fledged version of SharkBot featuring ATS is fetched directly from the C2 and installed automatically on the device.
What Now?
The C2 relies on a DGA (domain generation algorithm) system that makes it more difficult to detect and block the SharkBot command-issuing domains. Therefore, it is advised that to protect yourselves from such trojans like SharkBot, never blindly trust apps even if they are available on the Play Store. Additionally, try to keep downloaded apps on your devices at a minimum. If anyone is looking for Android antiviruses there are many trustworthy vendors providing tools for free.
Recommendations
- Avast Mobile Security App for Android
- Kaspersky Mobile Antivirus App
- Lookout Security and Antivirus App
- McAfee Mobile Security App
- Google Play Protect
Source:
