Сlarity and Trust – We take pride in being the site where you can feel free to express your opinion and leave feedback. Whenever you click on the websites of products reviewed by us, we participate in the revenue sharing and get commissions that help us maintain our project. Read more about how we work.

SharkBot malware disguises itself as an antivirus on the Google Play Store

Now Reading
SharkBot malware disguises itself as an antivirus on the Google Play Store

NCC Group experts reported on the SharkBot malware, which was found in the Google Play Store and which disguises itself as an antivirus, actually stealing money from users who installed the application.

SharkBot, like its counterparts TeaBot, FluBot, and Oscorp (UBEL), belongs to the category of banking Trojans capable of stealing credentials from hacked devices and bypassing multi-factor authentication mechanisms. Malware first appeared on the scene in November 2021.

A distinctive feature of SharkBot is its ability to perform unauthorized transactions through automatic transfer systems (ATS), that distinguishes it from, for example, TeaBot, which requires a live operator to interact with infected devices to perform malicious actions.

As far as we observed, this technique is an advanced attack technique which isn’t used regularly within Android malware. It enables adversaries to auto-fill fields in legitimate mobile banking apps and initate money transfers, while other Android banking malware, like Anatsa/Teabot or Oscorp, require a live operator to insert and authorize money transfers. This technique also allows adversaries to scale up their operations with minimum effort.NCC Group experts said.

In this case, attackers use ATS to fool fraud detection systems by imitating the sequence of actions that a real user should perform, such as button presses, clicks, and gestures, necessary to make a money transfer.

Discovered in the Google Play Store on February 28, 2022, the malware was a series of dropper apps that used the Android Direct Reply feature to spread to other devices, making SharkBot the second banking trojan after FluBot to use this distribution method and have the capabilities of a worm.

In addition, SharkBot is multifunctional and allows an attacker to inject overlays on top of real banking applications and thus steal credentials, intercept keystrokes and establish complete remote control over devices. But all this becomes possible only if the victim gives the malware the right to use Accessibility Services.

The malware hid in the following apps, which were installed more than 57,000 times in total:

  1. Antivirus, Super Cleaner (com.abbondioendrizzi.antivirus.supercleaner) – 1000+ installs;
  2. Atom Clean-Booster, Antivirus (com.abbondioendrizzi.tools.supercleaner) – 500+ installs;
  3. Alpha Antivirus, Cleaner (com.pagnotto28.sellsourcecode.alpha) – 5000+ installs;
  4. Powerful Cleaner, Antivirus (com.pagnotto28.sellsourcecode.supercleaner) – 50,000+ installs.

Let me remind you that we also reported that Fake antivirus promised protection from Pegasus spyware, but turned out to be a Trojan, and also that Thousands of Android Apps Leak Data Due to Misconfigured Firebase.

What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Vladimir Krasnogolovy
Leave a response

Leave a Response