Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware Malware Analysis

SharkBot – A New Generation Android Banking Trojan

Kyle by Kyle
May 27, 2022 - Updated on May 31, 2022
in Malware Analysis, Mobile Security
0
SharkBot Android Banking Malware
80
SHARES
1.3k
VIEWS
Share on FacebookShare on Twitter

SharkBot is a “newer” Android banking trojan found recently being distributed on the Google Play Store. The trojan was originally found in October of 2021 by the Cleafy research team.

You might also like

Android is getting firmware level security improvements

New iOS and iPadOS update pushed to fix zero-day bugs

Are Bluetooth signals being used to track smartphones?

The original Cleafy analysis stated that the sole goal of SharkBot was to initiate currency transfers via Automatic Transfer Systems or ATS. Based on this analysis, this is an advanced attack technique not normally utilized within Android banking malware. Unlike most of the Android malware out there currently, that requires a live operator to insert and authorize money transfers. This technique allows the attackers to scale up their botnet with minimal effort.

The new ATS features allow the malware to automate the money transfers via a list of commands. Since the malware has the ability to simulate touches via the smartphone touchscreen, it can also complete other malicious tasks other than transferring money.

How SharkBot Steals Money and Credentials

SharkBot has four main components implemented in its code to steal banking credentials:

  • Injections: SharkBot can steal banking credentials by overlaying a fake login over the banking app as soon as it detects that the banking app has been opened.
  • Keylogging: SharkBot can steal credentials by logging the text that has been entered via the keyboard on the mobile device. Which is then sent to the command and control server or C&C.
  • SMS intercept: SharkBot has the ability to intercept & hide SMS messages on the device infected.
  • Remote control: SharkBot can gain full remote access to the device, accessing anything a normal smartphone user can access via Accessibility Services.

For many of these credential-stealing features, SharkBot will need the user to enable the Accessibility Permissions & Services. This allows the malware to intercept all accessibility events or actions the user takes, including button presses, touches, any text type/inputted into text fields, etc.

How SharkBot is Being Distributed

SharkBot is being spread via the Google Play Store, specifically a fake antivirus app called “Antivirus, Super Cleaner” as seen in the image below.

How SharkBot is spreading

SharkBot app details
SharkBot app details

Another method this Android malware is utilizing is called “Direct reply“. With this feature, the attackers can tell the malware to automatically reply to any incoming text messages with a specified message including a download to the fake antivirus app.

In the image below, we can see this “autoReply” command sent from the attacker’s command and control server which contains a Bit.ly link that redirects to the Google Play Store.

Direct reply malware spreading method

Commands

SharkBot supports a slew of commands that the adversary can execute on an infected phone at any time. These include uninstalling any app from the device, sending text messages, downloading files and texts, etc. A full list of commands is below:

  • smsSend: used to send a text message to the specified phone number by the TAs
  • updateLib: used to request the malware downloads a new JAR file from the specified URL, which should contain an updated version of the malware
  • updateSQL: used to send the SQL query to be executed in the SQLite database which Sharkbot uses to save the configuration of the malware (injections, etc.)
  • stopAll: used to reset/stop the ATS feature, stopping the in-progress automation.
  • updateConfig: used to send an updated config to the malware.
  • uninstallApp: used to uninstall the specified app from the infected device
  • changeSmsAdmin: used to change the SMS manager app
  • getDoze: used to check if the permissions to ignore battery optimization are enabled and show the Android settings to disable them if they aren’t
  • sendInject: used to show an overlay to steal user’s credentials
  • getNotify: used to show the Notification Listener settings if they are not enabled for the malware. With these permissions enabled, Sharkbot will be able to intercept notifications and send them to the C2
  • APP_STOP_VIEW: used to close the specified app, so every time the user tries to open that app, the Accessibility Service with close it
  • downloadFile: used to download one file from the specified URL
  • updateTimeKnock: used to update the last request timestamp for the bot
  • localATS: used to enable ATS attacks. It includes a JSON array with the different events/actions it should simulate to perform ATS (button clicks, etc.)
Source: Fox-it.com
Tags: androidmalware
Share33Tweet20
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

Android is getting firmware level security improvements

by Paul Anderson
February 22, 2023
0
Android is getting firmware level security improvements

Android is the most widely used mobile operating system in the world, but it is also the most challenging to protect against evolving security threats. Google is working...

Read more

New iOS and iPadOS update pushed to fix zero-day bugs

by Kyle
February 17, 2023 - Updated on February 19, 2023
0
New iOS and iPadOS update pushed to fix zero-day bugs

Cybercriminals and "commercial" spyware developers frequently target iOS devices to carry out surveillance operations, data theft, and other nefarious actions. By identifying a weakness in Apple's iOS WebKit,...

Read more

Are Bluetooth signals being used to track smartphones?

by Christi Rogalski
June 17, 2022
0
Bluetooth research leads to tracking

Can Bluetooth signals be used to track smartphones? Many people would say "No" to this question. However, a team of engineers at the University of California San Diego...

Read more

How Apple Stopped $1.5 billion Worth of Fraudulent Transactions in 2021

by Christi Rogalski
June 8, 2022
0
Apple app store security fraud

Apple has recently released statistics on the number of fraudulent and untrustworthy transactions that have passed through the Apple App Store in 2021. In combination, they have stopped...

Read more

Silent OS 3.0 for Blackphone Completely revamped

by Paul Anderson
July 24, 2016 - Updated on May 17, 2022
1
Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch level to June 2016. Along with fixes for security vulnerabilities, Silent OS 3.0...

Read more
Next Post
Tails OS 5.0 zero-day

Tails OS Developers Warn Users to not use their Operating System

Related News

NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Netwire RAT seized by FBI and other worldwide police agencies

Netwire RAT seized by FBI and other worldwide police agencies

March 16, 2023
The Emotet botnet returns and is sending a slew of malicious emails

The Emotet botnet returns and is sending a slew of malicious emails

March 14, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.