A dangerous Android banking Trojan called SharkBot that first surfaced last October and continues to circulate in the wild is the latest example of threat actor persistence in trying to distribute mobile malware through the trusted Google Play mobile app store.
The malware — which its discoverer described as "next generation" — uses compromised Android devices to surreptitiously transfer money out of bank accounts when the victim is logged into it, bypassing multifactor authentication controls in the process. SharkBot can also steal credentials and credit card data and packs multiple features that are designed to complicate or slow down detection.
Over the past month, researchers from Check Point Research identified at least six different applications on Google Play that were masquerading as legitimate antivirus software but instead were being used to drop SharkBot on the devices of those who downloaded the apps. The six apps were uploaded from three separate developer accounts and were downloaded more than 15,000 times in the relatively short period that they were available on Play.
Check Point discovered four of the applications distributing SharkBot on Feb. 23, 2022, and reported it to Google on March 3, the same day that another security vendor, NCC Group, reported finding the same threat in Google's official mobile app store as well. Google removed the rogue apps from Google Play about a week later. But less than one week later — and then again a week after that — Check Point discovered two more apps containing the malware on Google Play. On both occasions Google's security team moved quickly to remove the threats before any users downloaded them.
A Google spokesman confirmed the company has removed all traces of the malware from Play.
In a blog this week, Check Point highlighted several features in SharkBot that explain to an extent the multiple times the authors of the malware were able to bypass Google's protections to upload it to the Play app store. SharkBot's tricks include time delays, capabilities for detecting if it's running in a sandbox, and keeping most of its malicious functionality in a module that's downloaded from an external command-and-control server after Play's app vetting processes are complete.
One aspect of SharkBot that Check Point said it has rarely observed in Android malware is its use of the Domain Generation Algorithm (DGA) to keep switching up its C2 domains, so blocking the threat becomes harder. Also noteworthy is a geofencing capability in SharkBot that ensures the malware does not execute on Android devices located in China, Russia, Ukraine, India, Belarus, and Romania.
"DGA is an algorithm by which a malicious client and malicious actor can change the C2 server in concert, without any communication," says Alexander Chailytko, cybersecurity research and innovation manager at Check Point Software. With DGA, Sharkbot can generate 35 domains per week, thereby complicating the process of blocking the malware operators’ servers, he says.
The fact that all SharkBot's malicious actions are triggered from the command-and-control server also means that the malicious app can stay in a sort of "OFF"-state during a test period in Google Play and turn "ON" when they get to the users' devices, Chailytko says.
Both Cleafy, the first to discover the malware, and the NCC Group in a report last month noted SharkBot's use of a technique called Automatic Transfer Systems (ATS) to initiate money transfers from bank accounts belonging to owners of SharkBot-infected Android devices. The technique basically involves the malware auto-filling fields and forms that banks typically require to initiate a money transfer, when the victim uses a compromised device to log into their bank account. Such theft can be very hard to detect because it can bypass multifactor checks and is performed by a trusted user with a previously enrolled devices, Cleafy noted.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, says malware apps that use time delays, code obfuscation techniques, and geofencing can be hard to detect. Even so, the regularity with which they are discovered on the official app stores of Google and Apple damages user trust in the safety of all apps on these platforms — especially because both vendors tout their app stores as safe and secure, Clements says, "It’s a big problem in part because successfully compromising the mobile device at the center of a person’s digital life gives the attacker broad access to cause significant damage."
He advocates that mobile device users pay close attention to the permissions that they grant to apps they download, especially any app that wants access to the "Accessibility Service" on Android for assisting users with disabilities.