That Android antivirus could actually be malware

System Hardening Android
(Image credit: Google)

A banking Trojan capable of stealing login credentials, transferring money from a compromised account, intercepting SMS messages, hiding notifications, and a bunch of other nasties has been found hiding in the Google Play Store. 

Researchers from two cybersecurity firms, first Cleafy, and later NCC Group, spotted the highly dangerous SharkBot, disguised as an antivirus app called “Antivirus, Super Cleaner”.

The app has already been downloaded and compromised over a thousand devices, but Google does appear to have removed it now.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Automatic Transfer Systems abuse

The Play Store is Google’s official app repository for the Android ecosystem and is generally perceived as secure - yet sometimes a malicious app will make it through Google’s defenses.

How the app made it to the Play Store has not yet been explained in detail, but the researchers did say the initial dropper app carried a “light” variant of the malware, which could help it avoid detection. 

SharkBot is considered extremely dangerous, among other things, because it is capable of transferring money via Automatic Transfer Systems (ATS) by simulating touches, clicks, and button presses, on compromised endpoints. 

The threat actors behind SharkBot use this functionality very rarely, though, the researchers claim. Instead, they focus on stealing credentials (either by showing a fake login website as soon as they detect the official banking app opened, or by logging accessibility events), intercepting and hiding SMS messages (probably to hide SMS notifications about a successful login into the banking account), and remotely controlling the compromised device via Accessibility Services. All SharkBot needs to perform these things is to gain Accessibility permissions. 

SharkBot also seems to be abusing the “Direct reply” feature found on Android. This feature allows users to reply to a message straight from the notification drop-down menu. 

 Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.