Heads up, Android users! Another banking malware has attempted to target Android users by impersonating legit apps. Identified as “SharkBot,” the banking trojan bypassed Google’s checks to appear on Play Store as antivirus apps. Users must ensure they validate the legitimacy of the app developer before downloading any app from the Play Store.
SharkBot Android Trojan On Play Store
Researchers from NCC Group have highlighted how the SharkBot Android banking trojan surfaced on Google Play Store.
SharkBot isn’t a newly discovered malware. Instead, it first caught the attention of the Cleafy Threat Intelligence Team in late 2021. At that time, the malware typically executed malicious campaigns against EU banks.
According to Cleafy’s analysis, SharkBot exhibits robust stealth capabilities to evade detection, such as hiding app icon following installation, anti-emulator checks, anti-delete mechanism, external ATS module, string obfuscation, and encrypted communication with its C&C.
After successfully infecting the target device, the malware would access SMS messages, presumably, to overcome 2FA limitations, display screen overlays to steal login credentials and card details, and trigger ATS attacks to steal money.
According to NCC Group, this dangerous malware has now evolved to bypass Google security checks and infect the Play Store. The researchers observed multiple malware droppers on the Play Store, impersonating various apps.
In most cases, the malware droppers posed as antivirus and phone cleaning apps to bluff users.
Upon reaching the target device, the malware performs two main functions. First, spreading the infection further to other devices by exploiting the notification’s auto-reply feature. Second, it triggers ATS features to download the SharkBot malware from the C&C.
The researchers have shared a detailed technical analysis of the malware in their blog post.
Google Removed Malicious Apps
Upon discovering the malicious apps, the researchers reported the matter to Google. Consequently, the tech giant removed them from the Play Store.
Following are the Play Store links to some of the malicious apps comprising this campaign.
- hxxps://play.google.com/store/apps/details?id=com.abbondioendrizzi.antivirus.supercleaner
- hxxps://play.google.com/store/apps/details?id=com.abbondioendrizzi.tools.supercleaner
- hxxps://play.google.com/store/apps/details?id=com.pagnotto28.sellsourcecode.alpha
- hxxps://play.google.com/store/apps/details?id=com.pagnotto28.sellsourcecode.supercleaner
Nonetheless, the malware might reappear on the Play Store at any time, posing as some other malicious apps. Therefore, users should remain careful when downloading apps from untrusted or unknown developers.