SharkBot malware that targets mobile banking applications is back stalking Android users. Just like before, this malware is infiltrated into a malicious application disguised as an antivirus application.
Security researchers from Check Point found six antivirus apps on the Google Play Store that carried the SharkBot malware. In total, these six applications have been downloaded more than 15,000 times.
"SharkBot steals banking credentials and information," said researchers Alex Shamshur and Raman Ladutska of Check Point, as quoted by The Hacker News, Friday (8/4/2022).
"This malware implements geofencing features and evasion techniques, which makes it stand out from other malware," they continued.
Specifically, this malware is designed to evade users from China, India, Romania, Russia, Ukraine and Belarus. Most of the victims of this malware are located in the UK and Italy.
This Check Point report complements the recent findings of the NCC Group regarding the SharkBot malware. The NCC Group said one of the malware's important features is the automatic transfer system (ATS), which allows hackers to transfer money from victims' accounts without requiring human interaction.
The SharkBot malware leverages the access permissions of accessibility services on Android to display a fake overlay window on top of the mobile banking app to trick users.
The fake antivirus app contained the SharkBot malware which Google Photos has now removed: doc. Checkpoint Research
As soon as the user is not careful to enter the username and password on the fake login page, the data entered will be sent directly to the attacker's server. The data is then used to access email, social media accounts, online bank accounts, and others.
This malware also comes back with a new feature which is the ability to automatically reply to notifications from Facebook Messenger and WhatsApp. The replies sent contained phishing links for fake antivirus applications, so their attacks could be spread more widely.
The good news is that the six fake antivirus applications have been kicked from the Google Play Store. Even though it is no longer available on Google's official app store, this malware is still spreading in third-party app stores, so danger still lurks.
Users who think they have downloaded a suspicious app should delete it immediately, download a genuine antivirus app to scan for malware on their phone, and change any passwords that might have been stolen.