The SharkBot remote access banking malware was first spotted back in October 2021. It was discovered by security researchers at Cleafy and was concluded as one of a kind, with no connection to malware like TeaBot or Xenomorph.
However, a recent report published by the NCC Group claims that SharkBot banking malware has infiltrated the Google Play Store, posing as an antivirus with system cleaning capabilities. Its most significant feature, among other banking trojans, is transferring money via Automatic Transfer Systems (ATS), which is done by simulating touches, clicks, and pressing buttons on compromised devices.
The report further detailed how SharkBot works and how it ended up bypassing Play Store safety measures.
How SharkBot Works
The malicious app functions like a triple-layered poison pill, with one layer impersonating as the antivirus and the second layer acting as a scaled-down version of SharkBot that then updates by downloading the full version of the malware. That’s when it starts its real game by using a variety of tactics to loot victims’ bank accounts.
As per the NCC report, SharkBot carries out an overlay attack the moment it detects an active banking app. It displays a prompt message that looks like the bank in question, for the user to enter their login credentials. The program also activates a keylogger, which is a type of monitoring software designed to record keystrokes made by a user.
This keylogger then sends your typed credentials to the attacker’s servers and it doesn’t just intercept SMS messages but hides them as well and that’s not all. The software can even hijack incoming notifications and send out messages that originate with the attacker’s command and control. Ultimately, SharkBot uses these methods to completely take over an Android smartphone.
The laced Android application that carries SharkBot
Fortunately, this particular malicious app hasn’t spread much further than 1,000 downloads for now. However, if you have downloaded the fake Antivirus, Super Cleaner app from the Play Store, then you should immediately delete it and consider the possibility of fully cleansing your smartphone.