Android users beware: a shark is lurking in the Google Play Store.
Android Police recently reported that security researchers from the NCC Group discovered an updated SharkBot trojan hiding in an antivirus app at the Google Play Store on March 5.
According to NCC Group's post on the malware, SharkBot was able to bypass Google Play Store's safety measures by abusing the "Direct Reply" feature of Android devices to include usage of infected devices to spread the malicious app.
SharkBot Details: How It Infects Devices and Works
The first SharkBot was discovered in October 2021 by security researchers at Cleafy, a team of cybersecurity experts, fraud-hunters, data scientists, and engineers. The malware is one-of-a-kind since it has no connection to existing malware like TeaBot or Xenomorph.
The malware was previously discovered to be hiding in three apps posing as legitimate applications to the victims in 2021. These apps are Live Net TV, UltData_Recovery, and Media Player HD.
According to Cleafy's report on the malware, SharkBot is a "new generation" mobile malware with an automatic transfer system (ATS). This system would allow hackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from compromised devices with only minimal human intervention.
SharkBot is different from TeaBot as it doesn't need a live operator to insert and authorize a money transfer.
Cleafy also assumed that the malware is trying to bypass behavioral detection countermeasures placed by multiple banks and financial services through abusing an Android phone's accessibility services. This abuse also allows the malware to bypass the need for a "new device enrollment."
SharkBot immediately tries to enable an Android device's accessibility service through fake pop-ups once an infected app is downloaded. The now-infected device would then flash the fake pop-ups until the device's user accepts.
From this point, the malware would then be able to access the mobile banking apps installed on the infected device through the device's accessibility service. However, it still needs to get the user's credentials, such as their password, through an "overlay attack" to perform the next step of the ATS attack.
Once the user's credentials are obtained, it can then simulate the same sequence of actions that the user would normally perform to make illegal money transfers, per The Hacker News.
Cleafy also included in its post that the malware has a low detection rate, with only three of the 62 antivirus programs it used detecting the malware as malicious. The company then concluded that the malware was written from scratch. Cleafy's conclusion is also supported by the fact that SharkBot uses an external module. This external module contains the ATS core functionalities and anti-detection techniques used to "slow down the static and dynamic analysis."
A new 'App Zero'
Ironically, the malware is discovered to be hiding in an antivirus app posing as a legitimate app on March 5. The app in question, Antivirus, Super Cleaner from Zbynek Adamncik, has presumably been taken down from the Play Store by Google as the app's page is no longer accessible by the time of this article's publication.
However, the malware is also found in other antivirus apps. These apps are:
- Antivirus, Super Cleaner
- Atom Clean-Booster, Antivirus
- Alpha Antivirus, Cleaner
- Powerful Cleaner, Antivirus
According to the report, each app has been installed more than 500, 5,000, and 50,000 users, respectively.
How to remove SharkBot From Your Phone
PC Risk's article on the matter advises people to only download from official and verified sources and that all programs must be activated and updated with legitimate tools obtained from official channels. Additionally, suspicious and unimportant emails should not be opened, especially their attachments and links.
As SharkBot uses Anti-delete as part of its anti-analysis and detection techniques to prevent users from uninstalling an infected app from a device, Android Police suggests people who suspect to have downloaded a SharkBot to factory reset or "fully wipe" their phones to remove the malware from their phones.
Related Article: How to Protect Yourself Online: Use Browser Privacy Extensions