SharkBot Banking Trojan Resurfaces On Google Play Store Hidden Behind 7 New Apps

El troyano bancario SharkBot reaparece en Google Play Store escondido detrás de 7 nuevas aplicaciones News

As many as seven malicious Android apps discovered on the Google Play Store masqueraded as antivirus solutions to deploy a banking trojan called SharkBot.

“SharkBot steals credentials and banking information,” Check Point researchers Alex Shamshur and Raman Ladutska said in a report shared with The Hacker News. This malware is distinguished by its use of geofencing and other evasion methods. “

Particularly, the malware is designed to ignore users from China, India, Romania, Russia, Ukraine, and Belarus. The rogue apps are said to have been installed more than 15,000 times prior to their removal, with most of the victims located in Italy and the U.K.

This report adds to previous NCC Group findings that found bankbots posing in antivirus software to perform unauthorized transactions through Automatic Transfer Systems (ATS).

SharkBot takes advantage of the Accessibility Services permissions to present fake overlay windows on top of legitimate banking apps. The malicious server receives the data captured when users are not aware that they have entered their passwords and usernames into the fake windows.

A new feature in SharkBot’s is the ability to automatically reply to messages from Facebook Messenger or WhatsApp. This allows it to send a malicious link to the antivirus application, spreading the malware in an worm-like manner. A similar feature was incorporated in FluBot earlier this February.

The latest findings come as Google took steps to banish 11 apps from the Play Store on March 25 after they were caught incorporating an invasive SDK to discreetly harvest user data, including precise location information, email and phone numbers, nearby devices, and passwords.

“What’s also noteworthy here is that the threat actors push messages to victims containing malicious links, which leads to widespread adoption,” Alexander Chailytko, cyber security, research and innovation manager at Check Point Software, said.

“All in all, the use of push-messages by the threat actors requesting an answer from users is an unusual spreading technique. “

Rate author