A banking Trojan capable of stealing login credentials, transferring money from a compromised account, intercepting SMS messages, hiding notifications, and a bunch of other nasties has been found hiding in the Google Play Store.
Researchers from two cybersecurity firms, first Cleafy, and later NCC Group, spotted the highly dangerous SharkBot, disguised as an antivirus app called “Antivirus, Super Cleaner”.
The app has already been downloaded and compromised over a thousand devices, but Google does appear to have removed it now.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
Automatic Transfer Systems abuse
The Play Store is Google’s official app repository for the Android ecosystem and is generally perceived as secure - yet sometimes a malicious app will make it through Google’s defenses.
How the app made it to the Play Store has not yet been explained in detail, but the researchers did say the initial dropper app carried a “light” variant of the malware, which could help it avoid detection.
> Malware removal on Android: how to clean up your smartphone (opens in new tab)
> Millions of Android phones infected with this dangerous new malware (opens in new tab)
> Watch out - that Android security update may be malware (opens in new tab)
SharkBot is considered extremely dangerous, among other things, because it is capable of transferring money via Automatic Transfer Systems (ATS) by simulating touches, clicks, and button presses, on compromised endpoints.
The threat actors behind SharkBot use this functionality very rarely, though, the researchers claim. Instead, they focus on stealing credentials (either by showing a fake login website as soon as they detect the official banking app opened, or by logging accessibility events), intercepting and hiding SMS messages (probably to hide SMS notifications about a successful login into the banking account), and remotely controlling the compromised device via Accessibility Services. All SharkBot needs to perform these things is to gain Accessibility permissions.
SharkBot also seems to be abusing the “Direct reply” feature found on Android. This feature allows users to reply to a message straight from the notification drop-down menu.
- Check out the best malware removal software right now
Via: BleepingComputer (opens in new tab)