SharkBot Trojan Spreading via Fake Antivirus Apps on Google Play

Security analysts at Check Point Research (CPR) team have recently revealed that there have been a number of malicious Android apps masquerading as antivirus solutions that have been used to spread the SharkBot banking Trojan from the Google Play Store.

This banking trojan was distributed using six malicious Android apps masquerading as antivirus solutions in the Google Play Store. 

While all these malicious applications came from the following developers’ accounts:-

• Zbynek Adamcik
• Adelmio Pagnotto
• Bingo Like Inc

The threat actors use Sharkbot to steal and manipulate bank details and login credentials since it’s an information stealer. The malware uses evasion techniques and geofencing features in order to avoid infecting devices from any of these countries:-

• China
• India
• Romania
• Russia
• Ukraine
• Belarus

Capabilities of SharkBot

In October 2021, Cleafy was the first company to notice the malware, and it’s one of the most powerful features, the ability to transfer money via ATS (Automatic Transfer Systems).

Here the threat actors exploit the compromised devices to execute this task by simulating the following things:-

• Touches
• Clicks
• Button presses

Here below we have mentioned the primary functions of SharkBot:-

• Injections
• ATS
• Overlay attack
• Keylogging
• SMS intercept
• Remote control

It is believed that more than 15000 copies of the rogue apps were installed before their removal, with the majority of victims either living in:- 

• Italy
• The United Kingdom

However, after the reporting, all the malicious applications were removed from the Play store by Google permanently. 

Apart from this, the security analysts have observed 27 versions of Sharkbot, and in SharkBot the threat actors use another stealthy and sophisticated technique that is rarely used in Android malware:-

Domain Generation Algorithm (DGA)

Affected apps

Several applications on Google Play have been masked as Sharkbot droppers, and here they are mentioned below:-

• com.abbondioendrizzi.tools[.]supercleaner
• com.abbondioendrizzi.antivirus[.]supercleaner
• com.pagnotto28.sellsourcecode[.]alpha
• com.pagnotto28.sellsourcecode[.]supercleaner
• com.antivirus.centersecurity[.]freeforall
• com.centersecurity.android[.]cleaner

Commands Used

Here below we have mentioned all the commands used by SharkBot:-

• smsSend
• updateLib
• updateSQL
• updateConfig
• uninstallApp
• collectContacts
• changeSmsAdmin
• getDoze
• sendInject
• iWantA11
• updateTimeKnock
• sendPush
• APP_STOP_VIEW
• Swipe
• autoReply
• removeApp
• serviceSMS
• getNotify
• localATS
• sendSMS
• downloadFile
• stopAll

SharkBot can present you with fake overlay windows of fake banking apps using Android’s Accessibility Services permissions that allow it to bypass certain security measures.

It is possible for SharkBot to create auto-replies to notifications from popular apps such as Facebook Messenger and WhatsApp to make the antivirus app share a phishing site to attract victims.

That’s why the security experts strongly recommended users not download any applications from unknown sources. Not only that even they have also urged users to stay alert and cautious while downloading any app from a reputable store.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.