SharkBot Banking Malware Spreads Via Fake Android Antivirus App on Google Play Store

The threat actor behind a nascent Android banking Trojan named SharkBot has managed to evade Google Play Store security barriers by posing as an antivirus app.

SharkBot, like its malicious counterparts TeaBot, FluBot, and Oscorp (UBEL), belongs to a category of financial Trojans capable of siphoning credentials to initiate money transfers from compromised devices by circumventing security mechanisms. multi-factor authentication. He first appeared on the scene in November 2021.

Where SharkBot stands out is in its ability to carry out unauthorized transactions via automatic transfer systems (ATS), which contrasts with TeaBot, which requires a live operator to interact with infected devices to conduct the malicious activities.

Automatic GitHub backups

“The ATS features allow the malware to receive a list of events to simulate, and they will be simulated in order to perform the money transfers,” said Alberto Segura and Rolf Govers, malware analysts at the tech company. NCC Group cybersecurity. noted in a report released last week.

“Since these features can be used to simulate keystrokes/clicks and button presses, they can be used not only to automatically transfer money, but also to install other malicious applications or components.”

In other words, the ATS is used to fool the targeted bank’s fraud detection systems by simulating the same sequence of actions that would be performed by the user, such as button presses, clicks and gestures, in order to effect the transfer of illicit money.

The latest version spotted on the Google Play Store on February 28 is a number of dropper apps that also exploit Android’s direct reply feature to spread to other devices, making it the second banking trojan after FluBot to intercept notifications of worm attacks.

The list of malicious apps, all of which were updated on February 10, have collectively been installed around 57,000 times to date –

Prevent data breaches

SharkBot is also feature-rich in that it allows adversary to inject fraudulent overlays on official banking apps to steal credentials, log keystrokes and gain full remote control over devices, but only after victims grant it Accessibility Services permissions.

The findings come a week after researchers at Cleafy leaked details of a new variant of TeaBot found in the Play Store, designed to target users of more than 400 banking and finance apps, including those from Russia, China and the United States.

Comments are closed.