Promo2day | Giveaways, Offers, Crypto and Much More Security Center Security News v
SharkBot malware hides as Android antivirus in Google Play

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
SharkBot malware hides as Android antivirus in Google Play
tarekma7 Offline
Administrator
*******
Administrators
Posts: 19,048
Threads: 8,731
Thanks Received: 32,618 in 9,352 posts
Thanks Given: 4,351
Joined: Sep 2015
Reputation: 2,729
The EnforcerGold MemberRandomThe InfluentialThe CrownThe Researcher The WriterThe Organizer View All
#1
03-05-2022 , 05:47 PM
[Image: fygqBDM.jpg]

Quote:SharkBot banking malware has infiltrated the Google Play Store, the official Android app repository, posing as an antivirus with system cleaning capabilities.

Although the trojan app was far from popular, its presence in Play Store shows that malware distributors can still bypass Google's automatic defenses. The app is still present in Google's store at the moment of writing.

SharkBot was discovered in Google Play by researchers at the NCC Group, who today published a detailed technical analysis of the malware.

What can SharkBot do?

The malware was first discovered by Cleafy in October 2021. Its most significant feature, which set it apart from other banking trojans, was transfering money via Automatic Transfer Systems (ATS). This was possible by simulating touches, clicks, and button presses on compromised devices.

NCC reports that the money transfer feature is still available in the latest version but used only in some cases of advanced attacks.

The four primary functions in SharkBot's latest version are:

Injections (overlay attack): SharkBot can steal credentials by showing web content (WebView) with a fake login website (phishing) as soon as it detects the official banking app opened
Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text fields changes and buttons clicked) and sending these logs to the command and control server (C2)
SMS intercept: Sharkbot can intercept/hide SMS messages.
Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device (via Accessibility Services).
To perform the above, SharkBot abuses the Accessibility permission on Android and then grants itself additional permissions as needed.

This way, SharkBot can detect when the user opens a banking app, performs the matching web injections, and steals the user's credentials.

The malware can also receive commands from the C2 server to execute various actions such as:

Send SMS to a number
Change SMS manager
Download a file from a specified URL
Receive an updated configuration file
Uninstall an app from the device
Disable battery optimization
Display phishing overlay
Activate or stop ATS
Close a specific app (like an AV tool) when the user attempts to open it

Source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  45,000 Android devices infected by unremovable malware sidemoon 1 3,518 11-30-2023 , 05:24 AM
Last Post: Pranav
  Google ads push BumbleBee malware used by ransomware gangs mrtrout 0 955 04-23-2023 , 03:59 AM
Last Post: mrtrout
  Android malware apps with 2 million installs spotted on Google Play tarekma7 0 838 12-05-2022 , 04:09 PM
Last Post: tarekma7
  Android malware infected 300,000 devices to steal Facebook accounts tarekma7 0 694 12-05-2022 , 04:04 PM
Last Post: tarekma7
  Fake Google Translate app installs malware dhruv2193 1 838 09-05-2022 , 12:47 PM
Last Post: Mike



Users browsing this thread: 1 Guest(s)