A banking Trojan capable of stealing login credentials, transferring money from a compromised account, intercepting SMS messages, hiding notifications, and a bunch of other nasties has been found hiding in the Google Play Store.
Researchers from two cybersecurity firms, first Cleafy, and later NCC Group, spotted the highly dangerous SharkBot, disguised as an antivirus app called “Antivirus, Super Cleaner”.
The app has already been downloaded and compromised over a thousand devices, but Google does appear to have removed it now.
Automatic Transfer Systems abuse
The Play Store is Google’s official app repository for the Android ecosystem and is generally perceived as secure - yet sometimes a malicious app will make it through Google’s defenses.
How the app made it to the Play Store has not yet been explained in detail, but the researchers did say the initial dropper app carried a “light” variant of the malware, which could help it avoid detection.
SharkBot is considered extremely dangerous, among other things, because it is capable of transferring money via Automatic Transfer Systems (ATS) by simulating touches, clicks, and button presses, on compromised endpoints.
The threat actors behind SharkBot use this functionality very rarely, though, the researchers claim. Instead, they focus on stealing credentials (either by showing a fake login website as soon as they detect the official banking app opened, or by logging accessibility events), intercepting and hiding SMS messages (probably to hide SMS notifications about a successful login into the banking account), and remotely controlling the compromised device via Accessibility Services. All SharkBot needs to perform these things is to gain Accessibility permissions.
SharkBot also seems to be abusing the “Direct reply” feature found on Android. This feature allows users to reply to a message straight from the notification drop-down menu.
- Check out the best malware removal software right now
Via: BleepingComputer
