While malware distributors may have a harder time getting their malicious apps through Google’s automatic scanning and flagging system, but, SharkBot shows that they can easily bypass the company’s security barriers and even human or manual verifications.
Although the app was unpopular, its presence in Google Play Store shows that nobody but the distribution platform itself should have control over what gets published on the store.
While this new generation of SharkBot malware was distributed as an Android antivirus application on the Google Play Store.
This new generation of SharkBot has been discovered by the cybersecurity analysts at the NCC Group in Google Play Store.
In October 2021, Cleafy security firm first discovered this malware, and it differed from previous banking trojans not only by transferring money in a previously unseen way but also by targeting Automatic Transfer Systems (ATS).
Moreover, it was able to carry out this scheme initially by simulating touches and clicks on the user’s device – until eventually, the user moved into carrying out physical button-presses on the affected devices.
While the cybersecurity firm, NCC has claimed that the new version of SharkBot also offers the money transfer feature but, in this case, this feature is used in advanced attacks only.
Here below we have mentioned all the key features of SharkBot’s latest version:-
To abuse, all these features, SharkBot exploits the Accessibility permission on Android through which in the later period, it grants all the additional permissions as required.
Here below we have listed all the commands that are received from the C2 server along with their respective actions:-
One of the remarkable differences between SharkBot and other Android banking trojans is its improved capabilities.
An interesting new update from SharkBot was its integration of an Android framework function known as “Direct Reply” that enables app developers to create replies for notifications straight from the C2.
By leveraging this relatively new framework feature, bank-fraud applications such as SharkBot have been able to intercept incoming notifications and then automatically reply to them with messages coming directly from their Command & Control servers.
By replying with a shortened Bit.ly URL, the operators of SharkBot uses this feature to drop the feature-rich payloads on the compromised system.
Here to make the detection more complex, the C2 relies on a DGA system and also blocks the command-issuing domains of SharkBot.
However, to remain protected, the security experts at NCC has strongly recommended users to follow some basic security rules:-
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…