SharkBot is a “newer” Android banking trojan found recently being distributed on the Google Play Store. The trojan was originally found in October of 2021 by the Cleafy research team.
The original Cleafy analysis stated that the sole goal of SharkBot was to initiate currency transfers via Automatic Transfer Systems or ATS. Based on this analysis, this is an advanced attack technique not normally utilized within Android banking malware. Unlike most of the Android malware out there currently, that requires a live operator to insert and authorize money transfers. This technique allows the attackers to scale up their botnet with minimal effort.
The new ATS features allow the malware to automate the money transfers via a list of commands. Since the malware has the ability to simulate touches via the smartphone touchscreen, it can also complete other malicious tasks other than transferring money.
How SharkBot Steals Money and Credentials
SharkBot has four main components implemented in its code to steal banking credentials:
- Injections: SharkBot can steal banking credentials by overlaying a fake login over the banking app as soon as it detects that the banking app has been opened.
- Keylogging: SharkBot can steal credentials by logging the text that has been entered via the keyboard on the mobile device. Which is then sent to the command and control server or C&C.
- SMS intercept: SharkBot has the ability to intercept & hide SMS messages on the device infected.
- Remote control: SharkBot can gain full remote access to the device, accessing anything a normal smartphone user can access via Accessibility Services.
For many of these credential-stealing features, SharkBot will need the user to enable the Accessibility Permissions & Services. This allows the malware to intercept all accessibility events or actions the user takes, including button presses, touches, any text type/inputted into text fields, etc.
How SharkBot is Being Distributed
SharkBot is being spread via the Google Play Store, specifically a fake antivirus app called “Antivirus, Super Cleaner” as seen in the image below.
Another method this Android malware is utilizing is called “Direct reply“. With this feature, the attackers can tell the malware to automatically reply to any incoming text messages with a specified message including a download to the fake antivirus app.
In the image below, we can see this “autoReply” command sent from the attacker’s command and control server which contains a Bit.ly link that redirects to the Google Play Store.
Commands
SharkBot supports a slew of commands that the adversary can execute on an infected phone at any time. These include uninstalling any app from the device, sending text messages, downloading files and texts, etc. A full list of commands is below:
- smsSend: used to send a text message to the specified phone number by the TAs
- updateLib: used to request the malware downloads a new JAR file from the specified URL, which should contain an updated version of the malware
- updateSQL: used to send the SQL query to be executed in the SQLite database which Sharkbot uses to save the configuration of the malware (injections, etc.)
- stopAll: used to reset/stop the ATS feature, stopping the in-progress automation.
- updateConfig: used to send an updated config to the malware.
- uninstallApp: used to uninstall the specified app from the infected device
- changeSmsAdmin: used to change the SMS manager app
- getDoze: used to check if the permissions to ignore battery optimization are enabled and show the Android settings to disable them if they aren’t
- sendInject: used to show an overlay to steal user’s credentials
- getNotify: used to show the Notification Listener settings if they are not enabled for the malware. With these permissions enabled, Sharkbot will be able to intercept notifications and send them to the C2
- APP_STOP_VIEW: used to close the specified app, so every time the user tries to open that app, the Accessibility Service with close it
- downloadFile: used to download one file from the specified URL
- updateTimeKnock: used to update the last request timestamp for the bot
- localATS: used to enable ATS attacks. It includes a JSON array with the different events/actions it should simulate to perform ATS (button clicks, etc.)