Last year, NCC Group and many other researchers noted an increase in Android malware, particularly Android banking malware. NCC Group’s Threat Intelligence team is keeping a close eye on several of these malware families in order to provide useful information to our customers about these risks. In addition to the more well-known Android banking malware, NCC Group’s Threat Intelligence team keeps an eye on new trends and families that may pose a threat to our customers.
SharkBot, an Android banking virus, is one of these ‘newer’ families. We discovered that this malware was spread through the official Google Play store throughout our investigation.
SharkBot, like its malware counterparts TeaBot, FluBot, and Oscorp belongs to a class of financial trojans that can steal credentials and use them to conduct money transfers from infected computers by bypassing multi-factor authentication methods.
SharkBot differs from TeaBot in that it can carry out unlawful transactions through Automatic Transfer Systems (ATS), as opposed to TeaBot, which requires a human operator to interact with infected devices in order to carry out harmful activities.
The Threat Intelligence team at NCC Group is continuing to investigate SharkBot and unearthing fresh information. We discovered several additional SharkBot droppers in the Google Play Store shortly after publishing this blog post. All of them appear to behave the same; in fact, the code appears to be a literal ‘copy-paste’ in each one. All of the other droppers use the same comparable C2 server. We quickly informed Google of our discoveries.
The latest version, which was discovered on the Google Play Store on February 28, includes a number of dropper apps that use Android’s Direct Reply capabilities to spread to other devices, making it the second banking trojan to intercept notifications for zero – day vulnerability attacks after FluBot.
The list of malicious apps, all of which were updated on February 10, have been collectively installed about 57,000 times
- 1,000+ installs of Antivirus, Super Cleaner (com.abbondioendrizzi.antivirus.supercleaner).
- 500+ installs of Atom Clean-Booster, Antivirus (com.abbondioendrizzi.tools.supercleaner).
- 5,000+ installs for Alpha Antivirus, Cleaner (com.pagnotto28.sellsourcecode.alpha)
- 50,000+ installs for Powerful Cleaner, Antivirus (com.pagnotto28.sellsourcecode.supercleaner).
Finally the researchers concluded that ,” SharkBot is also feature-rich in that it allows the attacker to insert fake overlays on top of official banking apps in order to steal credentials, log keystrokes, and gain complete remote control over the devices, but only if the victims grant it Accessibility Services capabilities. The results come only a week after Cleafy researchers revealed information of a new TeaBot variation identified in the Play Store that’s aimed to target users of more than 400 banking and financial apps from Russia, China and the United States.
Indicator Of Compromise
- a56dacc093823dc1d266d68ddfba04b2265e613dcc4b69f350873b485b9e1f1c (Google Play SharkBotDropper)
- 9701bef2231ecd20d52f8fd2defa4374bffc35a721e4be4519bda8f5f353e27a (Dropped SharkBot v1.64.1)
- 20e8688726e843e9119b33be88ef642cb646f1163dce4109b8b8a2c792b5f9fc (Google play SharkBot dropper)
- 187b9f5de09d82d2afbad9e139600617685095c26c4304aaf67a440338e0a9b6 (Google play SharkBot dropper)
- e5b96e80935ca83bbe895f6239eabca1337dc575a066bb6ae2b56faacd29dd (Google play SharkBot dropper)