A new Android Banking Trojan has been detected distributed via a fake Anti-Virus application on the Google Play Store. The malware, called SharkBot, was developed to perform money transfers from infected systems by bypassing multi-factor authentication mechanisms (MFA) such as TeaBot, Flubot, and Oscorp malware.
In the analyses carried out by security researchers, it has been observed that SharkBot uses ATS (Automation Transfer Switches) features to perform money transfers from compromised systems. ATS features are used to manipulate the targeted bank’s fraud detection systems by simulating a user’s sequence of actions, such as keystrokes and clicks, for threat actors to perform illegal money transfers. Distribution of malware is done by manipulating Android’s “Direct Reply” feature. If users consent to Accessibility permissions, SharkBot performs malicious activities such as exploiting Phishing attacks to obtain credentials, recording keystrokes, and redirecting the obtained user data to C&C servers. The applications available in the Google Play Store that are responsible for the distribution of the said malware are as follows;
• Antivirus, Super Cleaner
• Atom Clean-Booster, Antivirus
• Alpha Antivirus, Cleaner
• Powerful Cleaner, Antivirus
Finally, to minimize the possibility of infecting user devices with similar malicious software, it is recommended to keep the number of applications installed on the devices to a minimum and pay attention to the permissions requested by the downloaded applications. In addition, it is crucial to prevent IoC findings related to malware from security solutions in use.