The SharkBot trojan was present in 4 faux antivirus apps on Google Play Retailer collectively boasting 57,000 downloads.

British IT safety researchers from NCC Group have found an up to date model of the malicious SharkBot banking trojan hidden inside an antivirus app accessible on the Google Play Retailer.

Malicious Apps Hiding SharkBot Malware

SharkBot’s new model is hidden inside a faux antivirus app, which capabilities as a 3-layer poison capsule. The primary layer masquerades as an antivirus whereas the second layer extracts a scaled-down SharkBot model.

The malware then downloads its latest model boasting a variety of capabilities. Researchers noticed the most recent model of SharkBot on February twenty eighth, 2022.

Quite a few Play Retailer Apps Leveraging the Malware

NCC Group researchers additional famous that a number of different dropper apps additionally leverage Android’s Direct Reply perform to contaminate different units. Therefore, after FluBot, SharkBot is the second banking trojan that may intercept notifications for wormable assaults.

The researcher additionally revealed the record of malicious apps, collectively boasting 57,000 downloads. The apps embrace:

1. Antivirus Tremendous Cleaner (1000+ installs).
2. Alpha Antivirus Cleaner (5,000+ installs).
3. Atom Clear-Booster antivirus (500+ installs).
4. Highly effective Cleaner antivirus (50,000+ installs).

About SharkBot Malware

SharkBot is a distant entry banking trojan first found within the wild in October-November 2021 by safety researchers at Cleafy. At the moment, researchers concluded that the malware was distinctive and had no similarities or reference to different malware like Xenomorph or TeaBot.

They additional defined that SharkBot was a extremely subtle malware. Like its counterparts, e.g. FluBot, TeaBot, and Oscorp/UBEL, it’s a monetary trojan that may siphon credentials to switch cash from compromised units. To carry out the switch, SharkBot circumvents MFA mechanisms.

SharkBot Distinctive Capabilities

What makes SharkBot stand out is the Computerized Switch System or ATS. This distinctive system permits attackers to routinely transfer cash from the sufferer’s account with none human intervention.

SharkBot may also perform unauthorized transactions simply by way of the ATS mechanism. That is what makes it totally different from TeaBot because it requires enter from a dwell operator to conduct malicious actions on the contaminated units.

NCC Group’s malware analysts Alberto Segura and Rolf Govers defined the ATS characteristic of their report revealed final week:

The ATS options permit the malware to obtain an inventory of occasions to be simulated, and they are going to be simulated as a way to do the cash transfers. Since these options can be utilized to simulate touches/clicks and button presses, it may be used to not solely routinely switch cash but additionally set up different malicious purposes or parts.

Alberto Segura

This implies ATS is used to deceive a financial institution’s fraud detection system by creating the same motion sequence a consumer might in any other case carry out to make the transaction, resembling clicks or button presses.

Extra Play Retailer Malware Information

1. Squid Recreation app on Play Retailer was spreading Joker malware
2. New malware “BlackRock” disguised as Android Clubhouse app
3. 300,000 Android customers impacted by malware apps on Play Retailer
4. Faux Netflix app on Play Retailer caught hijacking WhatsApp classes
5. Hacked Android telephones mimicked related TV merchandise for faux advert views

SharkBot- A Characteristic-Wealthy Malware

NCC Group’s cybersecurity researchers declare that SharkBot is an immensely feature-rich malware. It permits an attacker to inject faux overlays on official banking apps to acquire full distant management of the contaminated machine(s), log keystrokes, and steal credentials.

Nevertheless, it’ll acquire management of a tool if the sufferer grants it Accessibility Providers permission. The malware performs an overlay assault as quickly because it detects an energetic banking app. It shows a display screen much like the app and asks for the consumer’s credentials whereas secretly activating a keylogger. Regardless of the consumer sort is shipped to the attacker’s server.

Moreover, the malware can intercept and conceal SMS messages, hijack incoming notifications, and ship out messages originating with the attackers’ C2 server. By way of these techniques, it might acquire full management of an Android smartphone.