Seven malicious Android applications identified on the Google Play Store pretended to be antivirus solutions in order to spread the SharkBot banking trojan. According to a report by Check Point researchers Alex Shamshur and Raman Ladutska, SharkBot illegally obtains credentials and banking information. This malware has a geofencing function and evasion strategies, which distinguishes it from other malware.
Users from China, India, Romania, Russia, Ukraine, and Belarus are targeted explicitly by the trojan. The malicious apps are downloaded over 15,000 times before being removed, with most of the victims hailing from Italy and the United Kingdom. The research adds to NCC Group’s prior discoveries, which revealed that a bankbot acting as an antivirus program was carrying out illicit transactions via Automatic Transfer Systems (ATS).
SharkBot uses the Accessibility Services rights on Android to display false overlay windows on authentic banking apps. As a result, when unwary users type their usernames and passwords into windows that seem like legitimate credential input forms, the information is intercepted and transferred to a malicious server. One new feature of SharkBot is its ability to automatically react to Facebook Messenger and WhatsApp messages to transmit a phishing link to the antivirus program, thus spreading the malware in a worm-like method. Similar functionality was added to FluBot earlier in February.
“What’s also noteworthy here is that the threat actors push messages to victims containing malicious links, which leads to widespread adoption,” said Alexander Chailytko, cyber security, research and innovation manager at Check Point Software. “All in all, the use of push-messages by the threat actors requesting an answer from users is an unusual spreading technique.”
On March 25, Google took measures to remove 11 applications from the Play Store after they were discovered to be using an intrusive SDK to steal user data such as exact location information, nearby devices, email and phone numbers, and passwords.