As many as seven malicious Android apps found on the Google Play Retailer masqueraded as antivirus options to deploy a banking trojan referred to as SharkBot.
“SharkBot steals credentials and banking info,” Verify Level researchers Alex Shamshur and Raman Ladutska said in a report shared with The Hacker Information. “This malware implements a geofencing characteristic and evasion strategies, which makes it stand out from the remainder of malwares.”
Notably, the malware is designed to disregard customers from China, India, Romania, Russia, Ukraine, and Belarus. The rogue apps are stated to have been put in greater than 15,000 occasions previous to their removing, with many of the victims positioned in Italy and the U.Okay.
The report enhances previous findings from NCC Group, which discovered the bankbot posing as antivirus apps to hold out unauthorized transactions by way of Automated Switch Methods (ATS).
SharkBot takes benefit of Android’s Accessibility Providers permissions to current pretend overlay home windows on high of legit banking apps. Thus when unsuspecting customers enter their usernames and passwords within the home windows that mimic benign credential enter types, the captured knowledge is distributed to a malicious server.
One new notable characteristic of SharkBot is its potential to auto reply to notifications from Fb Messenger and WhatsApp to distribute a phishing hyperlink to the antivirus app, thus propagating the malware in a worm-like vogue. An analogous characteristic was incorporated in FluBot earlier this February.
“What’s additionally noteworthy right here is that the risk actors push messages to victims containing malicious hyperlinks, which ends up in widespread adoption,” Alexander Chailytko, cyber safety, analysis and innovation supervisor at Verify Level Software program, stated.
“All in all, the usage of push-messages by the risk actors requesting a solution from customers is an uncommon spreading method.”
The newest findings come as Google took steps to banish 11 apps from the Play Retailer on March 25 after they have been caught incorporating an invasive SDK to discreetly harvest user data, together with exact location info, e mail and telephone numbers, close by gadgets, and passwords.