SharkBot banking trojan is back: hidden behind 7 new apps

Applications like antivirus tools provided on Google Play Store hide the banking trojan malware

Banking malware is hidden and spread via fake Android antivirus apps

Seven malicious apps found on Google Play Store masqueraded as legitimate programs but deployed the banking trojan SharkBot. The malware can steal credentials to banking applications and other related information. It is believed that these malicious apps have been already installed more than 15,000 times before the takedown from the store.^[1]

The malicious trojan uses geofencing features and evasion methods, according to researchers calling the trojan a standout from other mobile banking viruses.^[2] The particular features include ignoring the users from China. Romania, Russia, Ukraine, Belarus, India. The main number of victims resides in Italy and the United Kingdom.

The malicious banking trojan is not new, and previous reports showed that the banking malware was posing as antivirus applications, so people install these programs looking for security solutions. Then the piece can carry out unauthorized transactions via the Automatic Transfer Systems.^[3]

SharkBot droppers have been active for months

CheckPoint researchers list the direct timeline of the banking trojan activities and findings regarding the applications spreading the malware instead of acting as it was promoted. All this started in February when applications of the malware were first detected on Google Play Store.

March was the month that Google received the reports about these programs, and NCC Group published its own findings.^[4] There were a lot of reports on banking malware in the previous months. Even when those applications got removed the activity of targeting people with these shady applications hasn't stopped.

Apparently, on March 9th, Google removed four apps in question, and a few days after that, another SharkBot dropper was discovered. The app was reported right away, so no installations for this one. The same happened on March 22 and 27. Those new droppers got removed from Google Play due to quick discovery.

Advanced features of the banking trojan allow the worm-like propagation

SharkBot has the Accessibility Services permissions, so the fake overlay on the legitimate banking apps can be placed. This is how unsuspected users out their usernames and passwords in the window that looks like legitimate forms, but the information goes to the malignant credential input forms. The captured information is sent to servers controlled by the cybercriminals behind this banking trojan.

Another feature of the malicious trojan is related to the spreading methods. This virus can auto-reply to the notifications from Facebook messenger and WhatsApp to spread the phishing link with the redirect to the same antivirus apps. It is the worm-like technique of distribution, so the threat can migrate from one device via these messaging apps, and users spread the threat unknowingly to their contacts.

This is an unusual technique since the threat actor needs the response from users to those push messages. However, it was used by the FluBot malware recently in attacks that took place this February. Two different Android banking trojans managed to spread using the same delivery vehicle at the time.

The issue with the most recent campaign is the fact that users wanted to protect their machines from malware and hackers, so they searched for antivirus tools and security apps.^[5] However, the consequence was the opposite because those 15,000 users got this Android banking trojan SharkBot instead. Google continuously removes all reported and investigated apps like this.