Threat actors have used antivirus as their banking trojan cover to avoid detection by Google Play. The banking trojan is called SharkBot.
SharkBot, similar to other malware TeaBot, FluBot, and Oscorp (UBEL), falls under the financial trojan category. It can steal credentials for money transfers from affected devices by dodging multi-factor authentication. SharkBot was used in November 2021.
Also read,
SharkBot can carry out unauthoirzed transactions via Automatic Transfer Systems (ATS), unlike its counterpart Teabot, which depends on a live operator to interact with the infected devices to execute malicious activities.
“The ATS features allow the malware to receive a list of events to be simulated, and they will be simulated in order to do the money transfers,” Alberto Segura and Rolf Govers, malware analysts at cybersecurity firm NCC Group, said in a report published last week.
“Since these features can be used to simulate touches/clicks and button presses, it can be used to not only automatically transfer money but also install other malicious applications or components.”
ATS uses a similar process that a person would use to transfer money for avoiding detection by bank security systems. It emulates the same sequence of actions like button presses, clicks, and gestures.
The latest version tracked on the Google Play Store on February 28 entail dropper apps that use Android’s Direct Reply functionality to spread to other devices. SharkBot becomes the second, after FluBot, banking trojan to seize notifications for wormable attacks.
SharkBot has additional features that allow the hackers to plant fraudulent overlays atop official banking apps to pilfer credentials, log keystrokes, and access the devices remotely. But for all the above to happen, the victim needs to grant Accessibility Services permissions.
The uncovering came a week after researchers from Cleafy revealed information about an unknown TeaBot variant available on the Play Store. The new variant targets more than 400 banking and financial apps users from across the globe, including Russia, China, and the U.S.
Reference
https://thehackernews.com/2022/03/sharkbot-banking-malware-spreading-via.html?&web_view=true
