A malware called SharkBot, which is responsible for Android banking fraud, has once again appeared on the official Google Play Store in the form of legit-looking malicious apps.
It seems that malignant apps are often distributed directly from the Google Play Store in recent months, which has become a common theme on the web.
While cybersecurity analysts at BitDefender have recently identified that this time, SharkBot has taken the form of file managers to bypass the restrictions of the Google Play Store.
Users are more likely to believe something is safe if it comes from an official store, but that is not always the case. During the course of 2021, Cleafy discovered SharkBot for the first time.
Technical Analysis
Upon installation of these malicious apps from Google Play, for the SharkBot bankers, these applications act as malicious droppers.
However, their actions are completely dependent on where the user is located. In these applications, the user must grant permission to the application for it to install external packages (REQUEST_INSTALL_PACKAGES), which is why the applications disguise themselves as file managers.
There is a significant number of users who have downloaded malicious apps from the following countries in the majority:-
- The U.K.
- Italy
This trojan is primarily designed to facilitate the transfer of money via a technique called ATS from compromised devices which is a primary goal of the Trojan.
In this method, the actor-controlled account is swapped with the payee account via an intercepted transaction triggered by a banking app.
When users attempt to open legitimate banking applications, this malware can also serve as a fake authentication or login page through which it steals users’ credentials.
Strategies Used
In order to steal banking-related information from an Android device, SharkBot utilizes four main strategies.
So, here below we have mentioned the four strategies primarily used by this malware:-
- Overlay attack
- Keylogging
- SMS intercept
- Remote control
- ATS
Malicious Apps
Below are the dropper applications that have been removed from the Play Store now:-
- X-File Manager (com.victorsoftice.llc) with 10,000+ downloads
- FileVoyager (com.potsepko9.FileManagerApp) with 5,000+ downloads
- LiteCleaner M (com.ltdevelopergroups.litecleaner.m) with 1,000+ downloads
Moreover, this malware monitors a wide range of apps that are related to finances, such as the ones below:-
Permissions Asked
Here below we have mentioned all the permissions asked by these malicious apps in general are:-
- READ_EXTERNAL_STORAGE
- WRITE_EXTERNAL_STORAGE
- GET_ACCOUNTS
- REQUEST_INSTALL_PACKAGES
- QUERY_ALL_PACKAGES
- REQUEST_DELETE_PACKAGES
Some of these malicious applications are still available for download in other third-party app stores like:-
- Apksos[.]com
- Apkaio[.]com
- Modapkdown[.]com
Recommendations
Here below we have mentioned the recommendations offered by the security experts:-
- Make sure to download apps from trusted sources or the official app store.
- The best way to ensure the safety of your apps is to only download them from verified publishers.
- Make sure that 2-factor authentication is enabled on your banking apps
- You should change your banking passwords frequently.
- Always use strong and unique passwords that have never been used before.
- Make sure to enable the Play Protect service.
- Install a reputed mobile security and antivirus solution from the Google Play Store.
Azure Active Directory Security – Download Free E-Book
