Fake Antivirus Apps on Play Store Loaded with SharkBot Banking Trojan

The SharkBot trojan was found in four fake antivirus apps on Google Play Store collectively boasting 57,000 downloads.

British IT security researchers from NCC Group have discovered an updated version of the malicious SharkBot banking trojan hidden inside an antivirus app available on the Google Play Store.

Malicious Apps Hiding SharkBot Malware

SharkBot’s new version is hidden inside a fake antivirus app, which functions as a 3-layer poison pill. The first layer masquerades as an antivirus while the second layer extracts a scaled-down SharkBot version.

The malware then downloads its newest version boasting a wide range of capabilities. Researchers spotted the latest version of SharkBot on February 28th, 2022.

Numerous Play Store Apps Leveraging the Malware

NCC Group researchers further noted that several other dropper apps also leverage Android’s Direct Reply function to infect other devices. Hence, after FluBot, SharkBot is the second banking trojan that can intercept notifications for wormable attacks.

The researcher also published the list of malicious apps, collectively boasting 57,000 downloads. The apps include:

1. Antivirus Super Cleaner (1000+ installs).
2. Alpha Antivirus Cleaner (5,000+ installs).
3. Atom Clean-Booster antivirus (500+ installs).
4. Powerful Cleaner antivirus (50,000+ installs).

About SharkBot Malware

SharkBot is a remote access banking trojan first discovered in the wild in October-November 2021 by security researchers at Cleafy. At that time, researchers concluded that the malware was unique and had no similarities or connection with other malware like Xenomorph or TeaBot.

They further explained that SharkBot was a highly sophisticated malware. Like its counterparts, e.g. FluBot, TeaBot, and Oscorp/UBEL, it is a financial trojan that can siphon credentials to transfer money from compromised devices. To perform the transfer, SharkBot circumvents MFA mechanisms.

SharkBot Unique Capabilities

What makes SharkBot stand out is the Automatic Transfer System or ATS. This unique system allows attackers to automatically move money from the victim’s account without any human intervention.

SharkBot can also carry out unauthorized transactions easily through the ATS mechanism. This is what makes it different from TeaBot as it requires input from a live operator to conduct malicious activities on the infected devices.

NCC Group’s malware analysts Alberto Segura and Rolf Govers explained the ATS feature in their report published last week:

The ATS features allow the malware to receive a list of events to be simulated, and they will be simulated in order to do the money transfers. Since these features can be used to simulate touches/clicks and button presses, it can be used to not only automatically transfer money but also install other malicious applications or components.

Alberto Segura

This means ATS is used to deceive a bank’s fraud detection system by creating a similar action sequence a user may otherwise perform to make the transaction, such as clicks or button presses.

More Play Store Malware News

1. Squid Game app on Play Store was spreading Joker malware
2. New malware “BlackRock” disguised as Android Clubhouse app
3. 300,000 Android users impacted by malware apps on Play Store
4. Fake Netflix app on Play Store caught hijacking WhatsApp sessions
5. Hacked Android phones mimicked connected TV products for fake ad views

SharkBot- A Feature-Rich Malware

NCC Group’s cybersecurity researchers claim that SharkBot is an immensely feature-rich malware. It allows an attacker to inject fake overlays on official banking apps to obtain complete remote control of the infected device(s), log keystrokes, and steal credentials.

However, it will gain control of a device if the victim grants it Accessibility Services permission. The malware performs an overlay attack as soon as it detects an active banking app. It displays a screen similar to the app and asks for the user’s credentials while secretly activating a keylogger. Whatever the user type is sent to the attacker’s server.

Furthermore, the malware can intercept and hide SMS messages, hijack incoming notifications, and send out messages originating with the attackers’ C2 server. Through these tactics, it can gain full control of an Android smartphone.