SharkBot Banking malware masquerades as Android antivirus app

Malware analysts have uncovered a threat actor behind a particularly nasty Android banking app trojan named SharkBot. SharkBot has evaded Google Play Store’s security framework for a while, hiding within the coding of deceptive antivirus apps. 

Similar to its contemporaries, TeaBot, Oscorp (UBEL), and FluBot, SharkBot belongs to a virulent category of financially-centered malicious software designed to gain access to users’ banking information. It is able to achieve this by circumventing complex authentication mechanisms and thus siphon banking app credentials and initiating financial transfers from infected devices.

SharkBot does, however, have a few key differences to its contemporaries that make it a far more dangerous trojan. While other malicious software like TeaBot requires a live operator to remotely interact with the compromised device, SharkBot is capable of leveraging Automatic Transfer Systems. This means that it can carry out unauthorized financial transactions without a third party interacting with infected devices. 

In a recent report, malware analysts at the NCC Group cybersecurity firm said the following: ‘The ATS features allow the malware to receive a list of events to be simulated, and they will be simulated in order to do the money transfers. Since these features can be used to simulate touches/clicks and button presses, it can be used to not only automatically transfer money but also install other malicious applications or components.’

What this means is that once SharkBot has infiltrated a user’s device, it can virtually do anything. It’s able to record touches and keystrokes, create false overlays to trick you into interacting with it instead of your legitimate apps, and even install other malware without your knowledge. 

Four apps have been identified on Google Play as containing the trojan. All four are antivirus apps:

• Super Cleaner
• Atom Clean-Booster
• Alpha Antivirus
• Powerful Cleaner

Combined, these apps have been installed around 57,000 times since SharkBot was released. 

The worst aspect about this virus being injected into fake antivirus apps is that they’re apps that antivirus protection is a class of application every Android user should have. So how do you know which antivirus to trust? 

The best precaution is to go with a name you trust. Luckily, antivirus providers like Avast, Norton, and Malwarebytes have mobile clients. Android phones also usually come preloaded with antivirus software, most often supported by Avast. Why not check out our verdict on the mobile clients of your favorite antivirus providers?

Malwarebytes cyberprotection FREE DOWNLOAD