Contributed by George Mack, Content Marketing Manager, Check Point Software.
Over 15,000 Android users installed applications used to spread Sharkbot malware, which is capable of stealing your credentials and banking information.
According to Check Point Research, earlier this year, there were a total of six Android applications masquerading as anti-virus solutions. Google has removed these apps from the Play Store, but if you installed any of the apps below, you should delete them immediately.
Remove these malicious apps from your phone
Here is a list of the Sharkbot-related apps:
- Atom Clean-Booster, Antivirus
- Antivirus, Super Cleaner
- Alpha Antivirus, Cleaner
- Powerful Cleaner, Antivirus
- Center Security – Antivirus (listed twice with two different icons)
After revealing the details to Google on March 3rd, the apps were removed from the Play Store by March 27th. But if you have any of these apps on your device, then you still need to remove them. Make sure you check your bank account statements for any odd activity and change the passwords to your bank accounts.
How Sharkbot malware works
SharkBot’s goal is to initiate money transfers from compromised devices via Automatic Transfer Systems (ATS). According to researchers, this is an uncommon and advanced attack technique.
In traditional Android banking malware, a live person needs to authorize and transact the money transfer. SharkBot is more advanced; threat actors can auto-fill the fields in the mobile banking app and initiate the money transfer. The malware can also simulate button touches and clicks, allowing other malicious applications to be installed.
Sharkbot is also able to bypass multi-factor authentication mechanisms by using ATS. However, for SharkBot to abuse many of the features in Android, the victim needs to enable the Accessibility Permissions & Services. The Android banking malware uses the permissions to intercept the accessibility events produced by the victim, such as touches, button presses, and other events. The accessibility events also detect when the banking application is open in order to steal user’s credentials.
Sharkbot has the ability to reply to notifications from WhatsApp and Facebook Messenger to distribute phishing links to the banking Trojan, thus spreading the malware to more users.
How to avoid downloading malicious apps
Threat actors are always looking for new ways to spread malware by any means possible. They accomplish this by making their apps look legitimate and by creating applications that are already in high demand, such as calculators and flashlights, to attract more downloads. If you’re looking for an application from the Play Store, make sure to do your due diligence.
Android users should:
- Only install applications from trusted and verified publishers
- Check if there is an equivalent application from a trusted publisher if you find an application from a new publisher
- Report any suspicious applications or activities to Google
Mobile security protections
If you’re responsible for the security of your business or organization, then you need a mobile security solution.
Check Point’s Harmony Mobile prevents malware from infiltrating mobile devices by detecting and blocking the download of malicious apps in real-time. Harmony Mobile’s unique network security infrastructure – on-device network protection – allows you to stay ahead of emerging threats by extending Check Point’s industry-leading network security technologies to mobile devices.
Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.