Over the past couple of months, security researchers identified several applications in Google Play that were designed to download the SharkBot Android trojan.
SharkBot was initially detailed in November 2021, when it was only being distributed through third-party application stores. The threat was mainly focused on initiating unauthorized money transfers via Automatic Transfer Systems (ATS) by auto-filling fields in legitimate applications.
In early March, NCC Group reported that several SharkBot droppers had made their way into Google Play, all of which showed identical code and behavior.
The first SharkBot dropper found in Google Play was posing as an antivirus application. It was identified as a downgraded version of the trojan containing only minimum features, but capable of fetching and installing the full version at a later date.
NCC Group also discovered that the threat was abusing the ‘Direct Reply‘ Android feature – where reply notifications are automatically sent – to deliver a message to download the fake antivirus application. The same strategy was previously used by the Flubot Android malware.
Around the same time that NCC Group published their research on the Android trojan, Check Point found four SharkBot droppers in Google Play and reported them to Google. They were disguised as security and optimization apps, and were removed from the official app store on March 9.
[ READ: New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets ]
Over the next several weeks, however, the researchers observed continued attempts from the trojan’s developers to have a dropper published in Google Play. At least two of them were removed the same day they were submitted, before anyone could download them.
Check Point says it discovered a total of six droppers in Google Play, published from developer accounts that were active in the fall of 2021, and which had some of their applications removed from the store. The removed apps, Check Point says, had been installed roughly 15,000 times.
Once installed on an Android device, SharkBot requests permissions that allow it to control the device, luring the user into granting it access to the Android Accessibility feature. This allows it not only to perform illicit money transfers, but also to steal user credentials by displaying fake login windows.
“What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials,” NCC Group notes.
The threat also uses geofencing – it ignores users from Belarus, China, India, Romania, Russia, and Ukraine – and a domain generation algorithm (DGA), with roughly 56 domains created each week. The researchers also identified eight IP addresses that the trojan used for command and control (C&C).
Related: ‘Xenomorph’ Android Trojan Targets 56 Banking Applications
Related: Over 100 Million Android Users Installed ‘Dark Herring’ Scamware
Related: Tens of Thousands Download “AbstractEmu” Android Rooting Malware