It’s called SharkBot, it’s back in the PlayStore and it’s become formidable. This Trojan automates several procedures to successfully exploit the banking applications installed on an Android smartphone and send money to its operator.
You will also be interested
[EN VIDÉO] Kézako: how does a mobile phone network work? Every day thousands of calls are made in France from a mobile phone. Allowing you to stay in touch easily and almost everywhere, the smartphone however works with a complex mobile phone network. The University of Lille 1 and Unisciel explain its secrets to us on video in this episode of Kézako.
Once again, and despite the efforts made by Google at the level of its Play store, Android mobiles still suffer from worrying security problems. Among the current threats is SharkBot, a Trojan horse which specializes in stealing bank details. the malware had already been talked about in October 2021 after its discovery by the team of Cleafy Threat Intelligence. It already had features that put it in a class of its own. It was then considered a novelty to be watched closely because of its dangerousness and its different functioning from all the others. malware of its category.
Today, it returns to settle in the Play Store by fooling the security measures. It is found in apps supposed to be specialized in security and data protection… A shame! From apps which are downloaded tens of thousands of times and whose files have many positive comments to reassure the user. The malware has the particularity of being completely autonomous. It will look for the installed banking applications to connect to them and transfer sums ofmoney to the accounts of its operators. If the SharkBot code doesn’t seem harmful when the app is installed, it’s because the payload is fetched later.
It’s the victim who presses the red button
To plunder bank accounts, the malware uses automatic transfer systems (ATS). This technique is quite rare and allows the operator to automatically fill in the fields of legitimate mobile banking applications to carry out money transfers. For SharkBot, it is easy to fool the banking application since it knows how to simulate the activation of buttons and keys on the keyboard.
SharkBot uses several strategies to successfully penetrate the banking application. It can steal credentials by immediately displaying a sitePhishing as soon as the banking application is opened. It can also use a Keylogger which will record the entry of identifiers. And if however the application uses a validation by SMSit is capable of intercepting and masking SMS to use their content. It is also possible for the operator to control the device remotely.
In all cases and as often, it is the victim who allows the malware to express itself freely by granting access permissions to the application that hosts it during its installation. These authorizations go a long way since they give access to everything that happens on the mobile. The security company NCC-Group, who wrote a full article on how this malware works, warned Google so that it could remove the infected apps from the Play Store as soon as possible. the Trojan horse should disappear again…until next time.
Interested in what you just read?