Google removes dangerous banking malware from the Play Store


A dangerous Android banking Trojan called SharkBot, which first surfaced last October and continues to circulate in the wild, is the latest example of a threat actor persisting in trying to distribute mobile malware via the Google Play trusted mobile app store.

The malware – which its discoverer described as “The next generation– uses compromised Android devices to surreptitiously transfer money out of bank accounts when the victim is logged into them, bypassing multi-factor authentication controls in the process. SharkBot can also steal credentials and data from credit card and incorporates several features designed to complicate or slow down detection.

Over the past month, researchers from Check Point Research identified at least six different apps on Google Play that posed as legitimate antivirus software, but were instead used to drop SharkBot onto the devices of those who downloaded the apps. The six apps were downloaded from three separate developer accounts and were downloaded over 15,000 times in the relatively short time they were available on Play.

Check Point discovered four of the apps distributing SharkBot on February 23, 2022 and reported it to Google on March 3, the same day that another security vendor, NCC Group, also reported finding the same threat in the store. official mobile applications from Google. Google removed the malicious apps from Google Play about a week later. But less than a week later, and then a week later, Check Point discovered two more apps containing the malware on Google Play. On both occasions, Google’s security team acted quickly to remove threats before users downloaded them.

A Google spokesperson confirmed that the company has removed all traces of the malware from Play.

In a blog post this week, Check Point highlighted several SharkBot features that go some way to explaining the multiple times the malware’s authors were able to circumvent Google’s protections to upload it to the App Store Play. SharkBot’s cheats include timeouts, abilities to detect if it’s running in a sandbox, and keep most of its malicious functionality in a module downloaded from an external command-and-control server once the Play app verification process completed.

One aspect of SharkBot that Check Point said it has rarely seen in Android malware is its use of the Domain Generation Algorithm (DGA) to keep changing its C2 domains, making it more difficult to block the threat. Also worth noting is a geofencing capability in SharkBot which ensures that the malware does not run on Android devices located in China, Russia, Ukraine, India, Belarus and Romania.

“DGA is an algorithm by which a malicious client and a malicious actor can modify the C2 server in concert, without any communication,” explains Alexander Chailytko, head of cybersecurity research and innovation at Check Point Software. With DGA, Sharkbot can generate 35 domains per week, complicating the process of blocking malware operators’ servers, he says.

The fact that all of SharkBot’s malicious actions are triggered from the command and control server also means that the malicious app can remain in a kind of “OFF” state for a test period in Google Play and activate when it gets to users’ devices, says Chailytko.

Sophisticated functionality
Both Cleafythe first to discover the malware, and the NCC Group in a report last month noted SharkBot’s use of a technique called Automatic Transfer Systems (ATS) to initiate money transfers from bank accounts belonging to owners of SharkBot-infected Android devices. The technique essentially involves the malware automatically filling in fields and forms that banks typically need to initiate a money transfer, when the victim uses a compromised device to log into their bank account. Such theft can be very difficult to detect because it can bypass multi-factor verifications and is performed by a trusted user with a previously registered device, Cleafy noted.

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, explains that malicious applications that use delays, code obfuscation techniques, and geofencing can be difficult to detect. Even so, the regularity with which they are discovered on official Google and Apple app stores undermines user confidence in the security of any apps on these platforms – particularly because both vendors tout their app stores as safe and secure, Clements says: “It’s a big deal in part because successfully compromising the mobile device at the center of a person’s digital life gives the attacker broad access to cause significant damage.”

He advocates that mobile device users pay close attention to the permissions they grant to apps they download, especially any app that wants to access the “Accessibility Service” on Android to help users with disabilities.


About Author

Comments are closed.