Seven malicious Android apps were detected on the Google Play Store masquerading as antivirus solutions in order to distribute a banking malware known as SharkBot.
Check Point researchers Alex Shamshur and Raman Ladutska noted in a report posted with The Hacker News that "SharkBot obtains credentials and banking information." "This malware uses a geofencing feature as well as evasion strategies, which distinguishes it from other malware."
The spyware is specifically built to ignore users from China, India, Romania, Russia, Ukraine, and Belarus. The malicious apps are believed to have been installed more than 15,000 times before being removed, with the majority of victims being in Italy and the United Kingdom.
The report adds to NCC Group's prior findings, which discovered the bank bot disguising as antivirus software to carry out illicit transactions via Automatic Transfer Systems (ATS).
Image Courtesy: The Hacker News
SharkBot uses Accessibility Services rights to display bogus overlay windows on top of authentic banking programmes. As a result, when unwary users enter their usernames and passwords into windows that look like normal credential input forms, the data is recorded and transferred to a malicious server.
SharkBot now has the capacity to automatically respond to notifications from Facebook Messenger and WhatsApp in order to disseminate a phishing link to the antivirus software, effectively spreading the malware in a worm-like method. A similar feature was added to FluBot earlier this month.
The latest revelations come after Google banned 11 apps from the Play Store on March 25 after they were discovered using an invasive SDK to steal user data such as precise location information, email and phone numbers, nearby devices, and passwords.
"It's also worth noting that threat actors send messages containing malicious links to victims, which leads to widespread adoption," said Alexander Chailytko, cyber security, research, and innovation manager at Check Point Software.
"Overall, the use of push notifications by threat actors soliciting responses from consumers is a unique spreading tactic."
Please do not enter any spam link in the comment box.