Google has removed 6 different malicious Android applications targeting mainly users in the UK & Italy that were installed about 15,000 times.
Researchers have found the info-stealing Android malware Sharkbot hiding unseen within the Google Play store under the cover of anti-virus (AV) solutions.
While analysing suspicious applications on the store, the Check Point Research (CPR) team found what pretended to be genuine AV solutions downloading & installing the malware, which steals credentials & banking info from Android devices but also has some other unique features.
“Sharkbot lures victims to enter their credentials in windows that mimic benign credential input forms,” CPR researchers Alex Shamsur & Raman Ladutska wrote in a report published last Thurs.
“When the user enters credentials in these windows, the compromised data is sent to a malicious server.”
6 Different Applications
Researchers 6 different applications—including ones named Atom Clean-Booster, Antivirus; Antivirus Super Cleaner; & Centre Security-Antivirus—spreading Sharkbot. The apps came from 3 developer accounts–Zbynek Adamcik, Adelmio Pagnotto & Bingo Like Inc.— at least 2 were active in the Autumn of 2021. This timeline made sense, as Sharkbot 1st came to researchers’ attention last Nov.
“Some of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets,” researchers observed. “This could mean that the actor behind the applications is trying to stay ‘under the radar’ while still involved in malicious activity.”
Google removed the applications, but not before they were downloaded & installed about 15,000 times, researchers stated. Primary targets of Sharkbot are users in the UK & Italy, as previous, they explained.
CPR researchers looked into Sharkbot & uncovered not only typical info-stealing tactics, but also some features that were different from typical Android malware, researchers outlined. It includes a ‘geofencing’ feature that chooses users based on geographic areas, ignoring users from China, India, Romania, Russia, Ukraine, or Belarus, they surmised.
Sharkbot also has some advanced techniques, researchers noted. “If the malware detects it is running in a sandbox, it stops the execution & quits,” they wrote.
Domain Generation Algorithm (DGA)
Another unique feature of the malware is that it uses Domain Generation Algorithm (DGA), which is rarely used in malware for the Android platform, researchers concluded.
“With DGA, 1 sample with a hardcoded seed generates 7 domains per week,” they wrote. “Including all the seeds & algorithms we have observed, there is a total of 56 domains per week, i.e., 8 different combinations of seed/algorithm.”
Researchers observed 27 versions of Sharkbot during their research; the main difference between versions was different DGA ‘seeds’ as well as different botnetID & ownerID fields, they stated.
Sharkbot implements 22 commands that allow various malicious actions to be executed on a user’s Android device, including: requesting permission for sending SMS messages; uninstalling a given applications; sending the device’s contact list to a server; disabling battery optimisation so Sharkbot can run in the background; & imitating the user’s swipe over the screen.
Researchers 1st discovered 4 applications of the Sharkbot Dropper on Google Play on Feb. 25 & shortly thereafter reported their findings to Google on Mar. 3. Google removed the applications on Mar. 9 but then another Sharkbot dropper was found just 6 days later, on Mar. 15.
CPR reported the 3rd dropper discovered immediately, & then found 2 more Sharkbot droppers on Mar. 22 & Mar. 27 that they also reported quickly to Google for removal.
The droppers by which Sharkbot spreads in & of themselves should cause concern, researchers explained. “As we can judge by the functionality of the droppers, their possibilities clearly pose a threat by themselves, beyond just dropping the malware,” they wrote.
Researchers found the Sharkbot dropper hiding as the following applications on Google Play;
The droppers also have some evasion tactics, e.g. detecting emulators & quitting if 1 is found, researchers noted. They also are able to ‘inspect & act’ on all the UI events of the device as well as replace notifications sent by other applications.
“In addition, they can install an APK downloaded from the CnC, which provides a convenient starting point to spread the malware as soon as the user installs such an application on the device,” researchers added.
However, the appearance of Sharkbot disguised as AV solutions shows that attackers are getting ‘sneakier; in how they hide their malicious activity on the platform, & could serve to damage users’ confidence in Google Play, claimed a security professional.
“Malware apps that conceal their malicious functionality with time delays, code obfuscation & geofencing can be challenging to detect during the app review process, but the regularity that they are discovered lurking in official app stores really damages user trust in the safety of all apps on the platform,” observed Chris Clements, VP of Solutions Architecture at security firm Cerberus Sentinel.
With the smartphone at the heart of people’s digital lives & actions as a centre of financial, personal & work activity, “any malware that compromises the security of such a central device can do significant financial or reputational damage,” he concluded.
Another security professional urged caution to Android users when deciding whether or not to download a mobile app from a reputable vendor’s store, even if it is a trusted brand.
“When installing apps from various technology stores, it is best to research the app before downloading it,” observed James McQuiggan, security awareness advocate at KnowBe4. “Cybercriminals love to trick users into installing malicious apps with hidden functionalities in an attempt to steal data or take over accounts.”