Thursday, April 18, 2024

SharkBot – New Generation Malware on Google Play Distributed as Android Antivirus App

By Guru baran

SharkBot Malware

While malware distributors may have a harder time getting their malicious apps through Google’s automatic scanning and flagging system, but, SharkBot shows that they can easily bypass the company’s security barriers and even human or manual verifications. 

Although the app was unpopular, its presence in Google Play Store shows that nobody but the distribution platform itself should have control over what gets published on the store.

While this new generation of SharkBot malware was distributed as an Android antivirus application on the Google Play Store.

This new generation of SharkBot has been discovered by the cybersecurity analysts at the NCC Group in Google Play Store.

Abilities of SharkBot

In October 2021, Cleafy security firm first discovered this malware, and it differed from previous banking trojans not only by transferring money in a previously unseen way but also by targeting Automatic Transfer Systems (ATS). 

Moreover, it was able to carry out this scheme initially by simulating touches and clicks on the user’s device – until eventually, the user moved into carrying out physical button-presses on the affected devices.

While the cybersecurity firm, NCC has claimed that the new version of SharkBot also offers the money transfer feature but, in this case, this feature is used in advanced attacks only.

Here below we have mentioned all the key features of SharkBot’s latest version:-

  • Injections (overlay attack): SharkBot can steal credentials by showing a WebView with a fake login website (phishing) as soon as it detects the official banking app has been opened.
  • Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text fields changes and buttons clicked) and sending these logs to the command and control server (C2).
  • SMS intercept: Sharkbot has the ability to intercept/hide SMS messages.
  • Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device through Accessibility Services. 

To abuse, all these features, SharkBot exploits the Accessibility permission on Android through which in the later period, it grants all the additional permissions as required.

Commands Received from the C2 server

Here below we have listed all the commands that are received from the C2 server along with their respective actions:-

  • smsSend: used to send a text message.
  • updateLib: used to request the malware downloads a new JAR file from the specified URL.
  • updateSQL: used to send the SQL query to be executed in the SQLite database.
  • stopAll: used to reset/stop the ATS feature.
  • updateConfig: used to send an updated config to the malware.
  • uninstallApp: used to uninstall the specified app.
  • changeSmsAdmin: used to change the SMS manager app.
  • getDoze: used to check if the permissions to ignore battery optimization are enabled or not.
  • sendInject: used to show an overlay to steal user’s credentials
  • getNotify: used to show the Notification Listener settings if they are not enabled for the malware.
  • APP_STOP_VIEW: used to close the specified app.
  • downloadFile: used to download one file from the specified URL.
  • updateTimeKnock: used to update the last request timestamp for the bot.
  • localATS: used to enable ATS attacks.

One of the remarkable differences between SharkBot and other Android banking trojans is its improved capabilities.

An interesting new update from SharkBot was its integration of an Android framework function known as “Direct Reply” that enables app developers to create replies for notifications straight from the C2.

By leveraging this relatively new framework feature, bank-fraud applications such as SharkBot have been able to intercept incoming notifications and then automatically reply to them with messages coming directly from their Command & Control servers.

By replying with a shortened Bit.ly URL, the operators of SharkBot uses this feature to drop the feature-rich payloads on the compromised system.

Here to make the detection more complex, the C2 relies on a DGA system and also blocks the command-issuing domains of SharkBot.

Recommendation

However, to remain protected, the security experts at NCC has strongly recommended users to follow some basic security rules:-

  • Do not blindly trust any apps on the Play Store.
  • Always try to keep installed minimum apps on your device.
  • Must use robust and trusted Antivirus tools.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Managed WAF Protection

Website

Latest articles

cyber security

Armis Acquires AI-based Vulnerability Detection Firm Silk Security

Armis, a leading cybersecurity company, has acquired Silk Security, an AI-powered vulnerability detection firm.The...
Cyber Attack

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...
cyber security

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...
CVE/vulnerability

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...
Cyber Crime

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...
Cyber Security News

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...
Computer Security

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]