SharkBot, the new generation banking Trojan distributed via Play Store

SharkBot banking malware was able to evade Google Play Store security checks masqueraded as an antivirus app.

SharkBot is a banking trojan that has been active since October 2021, it allows to steal banking account credentials and bypass multi-factor authentication mechanisms.

The malware was spotted at the end of October by researchers from cyber security firms Cleafy and ThreatFabric, the name comes after one of the domains used for its command and control servers.

The malware was observed targeting the mobile users of banks in Italy, the UK, and the US. The trojan allows to hijack users’ mobile devices and steal funds from online banking and cryptocurrency accounts.

SharkBot is able to perform unauthorized transactions via Automatic Transfer Systems (ATS), an advanced attack technique that is uncommon within Android malware.

ATS enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers without a live operator intervention to authorize the transactions. Researchers pointed out that this technique allows the malware to receive a list of events to be simulated, allowing attackers to automate and scale up their operations.

“The ATS features allow the malware to receive a list of events to be simulated, and them will be simulated in order to do the money transfers.” reads the report published by NCC Group. “Since this features can be used to simulate touches/clicks and button presses, it can be used to not only automatically transfer money but also install other malicious applications or components.”

Experts discovered a reduced version of the SharkBot trojan in the official Google Play Store, it only includes minimum required features, such as ATS, that allows it to install a full version of the Trojan.

The malware was distributed via Google Play Store as a fake Antivirus, it abuses the ‘Direct Reply‘ Android feature to automatically send reply notification with a message to download the fake Antivirus app.

This spread strategy abusing the Direct Reply feature has been seen recently in another banking malware called Flubot, discovered by ThreatFabric.

SharkBot allows to steal banking credentials in Android with one of the following techniques, most of which requests victims to enable the Accessibility Permissions & Services:

• Injections (overlay attack): SharkBot can steal credentials by showing a WebView with a fake log in website (phishing) as soon as it detects the official banking app has been opened.
• Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text fields changes and buttons clicked) and sending these logs to the command and control server (C2).
• SMS intercept: Sharkbot has the ability to intercept/hide SMS messages.
• Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device (via Accessibility Services).

NCC group experts have shared indicators of compromise for this threat, including the list of tainted apps uploaded to the Google Play Store that have been downloaded tens of thousands times:

• Antivirus, Super Cleaner (com.abbondioendrizzi.antivirus.supercleaner)
• Atom Clean-Booster, Antivirus (com.abbondioendrizzi.tools.supercleaner)
• Alpha Antivirus, Cleaner (com.pagnotto28.sellsourcecode.alpha)
• Powerful Cleaner, Antivirus (com.pagnotto28.sellsourcecode.supercleaner)

“One of the distinctive parts of SharkBot is that it uses a technique known as Automatic Transfer System (ATS). ATS is a relatively new technique used by banking malware for Android.” concludes the report. “To summarize ATS can be compared with webinject, only serving a different purpose. Rather then gathering credentials for use/scale it uses the credentials for automatically initiating wire transfers on the endpoint itself (so without needing to log in and bypassing 2FA or other anti-fraud measures).”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Sharkbot)

[adrotate banner=”5″]

[adrotate banner=”13″]v