Fake antivirus, Sharkbot circles back onto Google Play store

Back in February 2022, our Fox-IT threat intelligence team discovered a new generation banking Trojan, posing as a fake Android antivirus cleaner, known as SharkBotDropper, in the Google Play store.

Last month, the team detected a new version of this malware dropper active in two apps on the Google Play store, with over 60,000 installations between them.

Alberto Segura, Malware analyst at Fox-IT shares the background and more details on the new breed of Sharkbot

What is Sharkbot?

Sharkbot is a banking trojan first found in 2021 that attacks Android operating systems and specifically looks to steal banking credentials from unsuspecting victims.

This malicious app was first found to be targeting crypto apps and is designed to obtain and misuse financial data by redirecting and stealthily initiating money transfers.

The malware aims to steal the victim’s log in information, allowing threat actors to use an account for malicious activities. While it is particularly active in Europe, its activity has also been detected in the United States.

A new breed

While the previous version of the trojan abused accessibility permissions in order to automatically install the malware, the newer version of the Sharkbot dropper, discovered in September, instead relies on the victim to install the malware through a guise of an antivirus update to ‘help the victim stay protected against threats.’

Despite the fact that the user now has to complete an extra step to enable the malware to be effective, it is actually more difficult to detect before being published in Google Play Store.

New campaigns in new countries

Our research so far has revealed that the list of targeted countries for the malware has grown, to now include Spain, Australia, Poland, Germany, US and Austria.

Added to that, the new targeted applications are not chosen using typical web injections, instead, they are targeted using keylogging-grabber-features. This way, the malware is stealing information from the text which is written inside official apps in the log in form in order to get access to the bank account.

This is done by abusing the 'Accessibility Services” feature, which allows malicious applications to listen to accessibility events such as button clicks and text fields changes. Besides that, the new version can also show a WebView to load the official website of the bank in order to steal the cookies once the victim logs in to the account.

Advice for users

Since we first started research on Sharkbot in February 2022, it’s clear that the developers have been working to improve both their malware and dropper. This new version distributes the malware in a more subtle way, and so it is essential that we keep an eye on any new campaigns or targeted applications that develop.

In order for users to keep safe, it’s essential that they do their research before downloading apps that could be deemed untrustworthy and read into any update notifications to make sure they are always aware of what they are installing on their devices.

You can read full details on the Sharkbot research over on our Research blog here