Account hacking malware has been found spreading again on the Google Play Store. Worse, this malware infiltrates antivirus applications and phone cleaners.
The malware, named Sharkbot, was first discovered by Cleafy in October 2021. Its presence in the Play Store was detected by researchers from the NCC Group who recently shared a detailed analysis of the malware's actions.
One of the main features of this malware is the automatic transfer system (ATS) which allows hackers to transfer victims' money without their knowledge. This feature is also what distinguishes Sharkbot from other banking trojans.
Interestingly, the process of transferring money from this account can be done without human interaction. So this malware can simulate movements such as touch, click, and push buttons, like users of mobile banking applications in general.
According to the NCC report, the latest version of SharkBot has four main functions, namely:
Injections: SharkBot can steal a user's mobile banking account credentials by displaying a fake login page once it detects an official mobile banking application is opened.
Keylogging: SharkBot can steal credentials by logging accessibility events (related to text changes and button clicks) and sending these logs to a command and control (C2) server.
SMS intercept: SharkBot can intercept or hide incoming SMS.
Remote control/ATS: SharkBot can take full control of Android devices remotely by exploiting the Accessibility permissions on the phone.
In addition to the four functions above, the SharkBot malware can also receive commands from the C2 server to do several things such as sending SMS to a number, downloading files from certain URLs, deleting applications from mobile phones, turning off battery optimization, and others, as quoted from Bleeping. Computer, Thursday (7/4/2022).
SharkBot malware was found in four antivirus applications circulating in the Play Store. Fortunately all four applications have been removed by Google, but before being removed these applications have been downloaded more than 57,000 times.
For users who have these apps on their phone, please delete them immediately and reset the device. Here's a list of four apps that contain the SharkBot malware:
Antivirus, Super Cleaner - 1000+ downloads
Atom Clean-Booster, Antivirus - 500+ downloads
Alpha Antivirus Cleaner - 5,000+ downloads
Powerful Cleaner, Antivirus - 50.000+ downloads