SharkBot banking trojan resurfaces on Google Play Store hidden behind 7 new apps


No less than seven malicious Android apps discovered on the Google Play Store posed as antivirus solutions to deploy a banking Trojan called SharkBot.

“SharkBot Steals Credentials and Banking Information,” Check Point Researchers Alex Shamshur and Raman Ladutska mentioned in a report shared with The Hacker News. “This malware implements geofencing functionality and evasion techniques, which sets it apart from other malware.”

In particular, the malware is designed to bypass users from China, India, Romania, Russia, Ukraine, and Belarus. The malicious apps were reportedly installed more than 15,000 times before being removed, with most of the victims located in Italy and the UK.

The report complements previous findings by the NCC Group, which found the bankbot posing as anti-virus applications to conduct unauthorized transactions through automatic transfer systems (ATS).

SharkBot takes advantage of Android’s Accessibility Services permissions to present fake windows overlaid on top of legitimate banking apps. So when unsuspecting users enter their usernames and passwords in windows that mimic benign credential entry forms, the captured data is sent to a malicious server.

A notable new feature of SharkBot is its ability to automatically respond to notifications from Facebook Messenger and WhatsApp to distribute a phishing link to the anti-virus application, thereby spreading malware like a worm. Similar functionality was integrated into FluBot earlier in February.

“What’s also remarkable here is that threat actors send messages to victims containing malicious links, which leads to widespread adoption,” said Alexander Chailytko, head of cybersecurity, research and innovation at Check Point Software.

“Overall, the use of push messages by threat actors demanding a response from users is an unusual propagation technique.”

The latest findings come as Google has taken steps to ban 11 apps from the Play Store on March 25 after being caught embedding an invasive SDK for Discreetly harvest user dataincluding precise location information, email and phone numbers, nearby devices and passwords.


Comments are closed.