EXECUTIVE SUMMARY:

SharkBot belongs to a category of malware capable of circumnavigating multi-factor authentication, stealing credentials, and authorizing transfers of a person’s bank balances. It ultimately deceives banks’ fraud detection systems.

When the SharkBot malware first appeared on the Google Play Store, it masqueraded as an antivirus application. SharkBot’s presence on the Google Play Store reinforces the fact that malicious apps can indeed slip past Google’s security controls.

SharkBot victims

As of the current writing, SharkBot has largely affected banking customers in the UK, Italy and in the US.

SharkBot’s capabilities

The malware’s most notable feature includes the ability to transfer money via Automatic Transfer Systems (ATS). In the latest version of SharkBot, the primary capabilities consist of:

  • Injections (overlay attack): Upon detection of certain banking apps, SharkBot can pinch credentials by showing users fake banking domain addresses.
  • Keylogging: SharkBot steals credentials by logging accessibility events (related to text field changes and buttons clicked) and delivering those logs to the command and control server.
  • SMS interception: SharkBot retains the potential to intercept/hide text messages.
  • Remote control/ATS: SharkBot can gain full remote control over an Android device through Accessibility Services.

In order to follow through on the above, SharkBot abuses the accessibility permission on Android, then granting itself further permissions on an as-needed basis.

SharkBot technical details

SharkBot can also receive commands from the C2 server, enabling it to execute functions such as:

  • Sending a text message to a phone number
  • Changing a text message manager
  • Downloading a file from a specified URL
  • Receiving an updated configuration file
  • Disabling battery optimization
  • Closing a specific app when the user aims to open it

And more.

Sharkbot vs. other Android banking trojans

There are numerous Android banking trojans out there. What makes SharkBot unique?

SharkBot uses a relatively new component that leverages the ‘Direct reply’ feature for notifications. This means that SharkBot can intercept new notifications and respond to them with messages that directly emanate from the C2.

This feature enables SharkBot to drop feature-rich payloads onto compromised devices by replying with a shortened Bit.ly URL.

The original SharkBot dropper app includes a light version of the real malware in order to limit the risk of detection by the app store.

Fake antivirus cleaner
Google Play Store image showing antivirus cleaner app that hides SharkBot.

Via the ‘auto reply’ feature, a complete version of SharkBot, featuring ATS, is obtained directly from the C2. This is automatically installed on the device.

Making detection and blocking of command-issuing domains difficult, the C2 relies on a domain generation algorithm system.

In conclusion

Experts note that SharkBot underscores the need for banks to monitor user transactions from the behavioral standpoint, ensuring that they have the capacity to deploy interventions and to halt malicious account takeover activities.

Thus far, SharkBot has not spread beyond roughly 1,000 downloads. If you have installed an “Antivirus, Super Cleaner” from the Google Play Store, delete the app immediately and consider wiping your device.

Whenever downloading an app from the Play Store, ensure that you check reviews, examine the number of people who have previously downloaded the app, and conduct some reconnaissance of your own on the app’s utility and authenticity.

Lastly, for more information about banking malware, please see CyberTalk.org’s past coverage.