SharkBot banking malware has infiltrated the Google Play Store, the official Android app repository, posing as an antivirus with system cleaning capabilities.
Although the trojan app was far from popular, its presence in Play Store shows that malware distributors can still bypass Google’s automatic defenses. The app is still present in Google’s store at the moment of writing.
The malware was first discovered by Cleafy in October 2021. Its most significant feature, which set it apart from other banking trojans, was transfering money via Automatic Transfer Systems (ATS). This was possible by simulating touches, clicks, and button presses on compromised devices
The malware can also receive commands from the C2 server to execute various actions such as:
- Send SMS to a number
- Change SMS manager
- Download a file from a specified URL
- Receive an updated configuration file
- Uninstall an app from the device
- Disable battery optimization
- Display phishing overlay
- Activate or stop ATS
- Close a specific app (like an AV tool) when the user attempts to open it
Replying to notifications
One of the notable differences between SharkBot and other Android banking trojans is the use of the relatively new components that leverages the ‘Direct reply’ feature for notifications
If you’re looking for an Android antivirus, there are several trustworthy vendors who offer their tools for download
The four primary functions in SharkBot’s latest version are:
- Injections (overlay attack): SharkBot can steal credentials by showing web content (WebView) with a fake login website (phishing) as soon as it detects the official banking app opened
- Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text fields changes and buttons clicked) and sending these logs to the command and control server (C2)
- SMS intercept: Sharkbot can intercept/hide SMS messages.
- Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device (via Accessibility Services).