CyberTalk

SharkBot banking malware hits Google Play Store, posing as antivirus

SharkBot malware spreading via fake antivirus app - image concept, sharks

EXECUTIVE SUMMARY:

SharkBot belongs to a category of malware capable of circumnavigating multi-factor authentication, stealing credentials, and authorizing transfers of a person’s bank balances. It ultimately deceives banks’ fraud detection systems.

When the SharkBot malware first appeared on the Google Play Store, it masqueraded as an antivirus application. SharkBot’s presence on the Google Play Store reinforces the fact that malicious apps can indeed slip past Google’s security controls.

SharkBot victims

As of the current writing, SharkBot has largely affected banking customers in the UK, Italy and in the US.

SharkBot’s capabilities

The malware’s most notable feature includes the ability to transfer money via Automatic Transfer Systems (ATS). In the latest version of SharkBot, the primary capabilities consist of:

In order to follow through on the above, SharkBot abuses the accessibility permission on Android, then granting itself further permissions on an as-needed basis.

SharkBot technical details

SharkBot can also receive commands from the C2 server, enabling it to execute functions such as:

And more.

Sharkbot vs. other Android banking trojans

There are numerous Android banking trojans out there. What makes SharkBot unique?

SharkBot uses a relatively new component that leverages the ‘Direct reply’ feature for notifications. This means that SharkBot can intercept new notifications and respond to them with messages that directly emanate from the C2.

This feature enables SharkBot to drop feature-rich payloads onto compromised devices by replying with a shortened Bit.ly URL.

The original SharkBot dropper app includes a light version of the real malware in order to limit the risk of detection by the app store.

Google Play Store image showing antivirus cleaner app that hides SharkBot.

Via the ‘auto reply’ feature, a complete version of SharkBot, featuring ATS, is obtained directly from the C2. This is automatically installed on the device.

Making detection and blocking of command-issuing domains difficult, the C2 relies on a domain generation algorithm system.

In conclusion

Experts note that SharkBot underscores the need for banks to monitor user transactions from the behavioral standpoint, ensuring that they have the capacity to deploy interventions and to halt malicious account takeover activities.

Thus far, SharkBot has not spread beyond roughly 1,000 downloads. If you have installed an “Antivirus, Super Cleaner” from the Google Play Store, delete the app immediately and consider wiping your device.

Whenever downloading an app from the Play Store, ensure that you check reviews, examine the number of people who have previously downloaded the app, and conduct some reconnaissance of your own on the app’s utility and authenticity.

Lastly, for more information about banking malware, please see CyberTalk.org’s past coverage.

Exit mobile version