The SharkBot remote access banking trojan was first spotted in the wild in October 2021. Automatic Transfer System (ATS), is new to Android and lets attackers move money automatically out of the victim’s accounts, with no human intervention needed. An updated SharkBot is hiding inside an innocent-looking antivirus app which is still available on the Google Play Store.
The malicious app functions like a three-layer poison pill, with one layer masquerading as the antivirus and the second layer as a scaled-down version of SharkBot that then updates by downloading the fully-fanged version of the malware. That’s when it goes to work using a variety of tactics to loot victims’ bank accounts.
SharkBot can perform an “overlay attack” the moment it detects an active banking app. It throws up a screen that looks like the bank in question, ready for you to feed it your login credentials. The program also activates a keylogger that sends whatever you type to the attacker’s servers and it doesn’t just intercept SMS messages but can hide them, too.
The software can even hijack incoming notifications and send out messages that originate with the attacker’s command and control. Ultimately, SharkBot can use these methods to completely own an Android smartphone.
This particular malicious app hasn’t spread much further than 1,000 downloads . However, if you have downloaded the fake “Antivirus, Super Cleaner” from the Play Store, delete it immediately and consider the possibility you may need to fully wipe your phone. This is one shark you won’t see coming thanks to a dorsal fin sticking out of the water.
SharkBot implements the four main strategies to steal banking credentials in Android:
- Injections (overlay attack)
- SMS intercept
- Remote control/ATS
SharkBot can receive different commands from the C2 server in order to execute different actions in the infected device such as sending text messages, download files, show injections, etc. The list of commands it can receive and execute is as follows:
Indicators of Compromise
- a56dacc093823dc1d266d68ddfba04b2265e613dcc4b69f350873b485b9e1f1c (Google Play SharkBotDropper)
- 9701bef2231ecd20d52f8fd2defa4374bffc35a721e4be4519bda8f5f353e27a (Dropped SharkBot v1.64.1)
‘Auto/Direct Reply’ URL used to distribute the malware:
Google Play Store URL:
C2 servers/Domains for SharkBot:
- n3bvakjjouxir0zkzmd[.]xyz (126.96.36.199)
- mjayoxbvakjjouxir0z[.]xyz (188.8.131.52)