Introduction

The threat actor SharkBot is spreading through the Google play store by a fake android antivirus app. SharkBot is a banking Trojan that has been active since October 2021. That steals the bank account credentials and bypass multi-factor authentication mechanism.

SharkBot is similar to TeaBot, FluBot and Oscorp (UBEL) malware that belong to the category of financial. The malware that can initiate money transfers from compromised device by avoiding the mechanism of multi-factor authentication.

But SharkBot has the ability to carry out the unauthorized transaction via Automatic Transfer System (ATS). To conduct the malicious activities it requires a live operator to interact with the infected devices.

How SharkBot works?

Researchers from NCC Group published a report earlier, that lay down how SharkBot works and how it ended up bypassing Play Store safety measures. The malicious app functions like a three-layer poison pill, with one layer act as the antivirus and the second layer as a scaled down version of SharkBot that then updates by downloading the fully-fanged version of the malware. Then it gets activated and uses a variety of tactics to loot victims’ bank accounts.

One of the tactics is “overlay attack” the moment it detects an active banking app, a screen that looks like the bank in question is flashed and that is ready to feed the login credentials. The keylogger program is also gets activated that sends whatever the user type to the attacker’s server and it just not intercepts SMS messages but can hide them too.

Incoming notifications are hijacked by the software and the user gets the messages that are commanded by the attacker’s. In this way SharkBot can completely own an Android smartphone.

Techniques used by SharkBot malware:-

• Injections (overlay attack)
• Keylogging
• SMS intercepts
• Remote control/ATS

The list of malicious apps uploaded to the Google Play Store that has been downloaded tens of thousands times:

• Antivirus, Super Cleaner
• Atom Clean-Booster, Antivirus
• Alpha Antivirus, Cleaner
• Powerful Cleaner, Antivirus

“The ATS features allow the malware to receive a list of events to be simulated, and they will be simulated in order to do the money transfers,” Alberto Segura and Rolf Govers, malware analysts at cyber-security firm NCC Group, said in a report published last week. These features are used to simulate touches/clicks and button presses, it not only automatically transfers money but also install other malicious components or applications.

Remedies :

Prevention is always better than cure. So to avoid such kind of malware follow:

• Need of strong password.
• Enable multifactor authentication (such as PIN or security question)
• Keep all the software updated
• Install anti-virus and anti-spyware software
• Install firewall
• Before installing any application carefully read the license agreement
• Build awareness about common malware.

 

Cyber Security Companies: https://www.designrush.com/agency/cybersecurity