Malware, Endpoint/Device Security

Android banking trojan SharkBot distributed via Google Play Store

Share
Researchers at the NCC Group reported a new generation of the SharkBot banking trojan in the Google Play Store. Pictured: The Google logo is displayed on a Nexus 5X phone during a Google media event on Sept. 29, 2015, in San Francisco. (Photo by Justin Sullivan/Getty Images)
Researchers at the NCC Group reported a new generation of the SharkBot banking trojan in the Google Play Store. Pictured: The Google logo is displayed on a Nexus 5X phone during a Google media event on Sept. 29, 2015, in San Francisco. (Photo by Justin Sullivan/Getty Images)

Researchers last week reported that a “new generation” of the Android banking trojan SharkBot was distributed via the Google Play Store, putting the financial data and money of depositors at risk.  

In a blog post, NCC Group researchers said shortly after they published the original blogpost, they found several more SharkBot droppers in the Play Store.

According to the researchers, all of the SharkBot droppers appear to behave identically: the code seems to be a “copy-paste” in all of them. In addition, the same corresponding command and control (C2) server has been used for all the other droppers.

NCC Group researchers said they reported their findings to Google in all cases after discovery; all four of the apps have since been removed from the Google Play Store.

The SharkBot Android trojan can elude MFA on banking apps on Android smartphones, putting users’ financial data and money at risk, said Damon Ebanks, vice president at Veridium. Ebanks said this could lead to financial institutions having to invest in resources to recoup stolen funds.

“Google Play Protect should have prevented this from happening,” Ebanks said. “The whole point behind the idea of an App Store was to create a place for curated apps that are safe. The world will begin to wonder why we should have a one walled app store if anything can get listed."

SharkBot’s capabilities follow those of typical banking trojans that we see across both iOS and Android devices, said Hank Schless, senior manager, security solutions at Lookout. Schless said aside from actually building a fake version of a legitimate banking app, this strategy of implementing screen overlay attacks and keylogging is typically how trojans are effective. He said the added functionality of intercepting SMS messages would also let the threat actor see any multi-factor authentication codes that were sent to the device. 

“While the app stores have security safeguards in place, threat actors continue to innovate on new ways to circumvent those safeguards and get malicious software into those stores,” Schless said. “This shows how important it is to protect your smartphones and tablets in the same way you would a laptop or desktop. The tactics used with Sharkbot could be tweaked to just as easily steal login credentials for other services like healthcare or retail apps, and even be programmed to steal corporate login credentials.”

Related

UEFI malware delivery possible with PKfail issue

Such a vulnerability stems from impacted devices' usage of an American Megatrends International-generated Platform Key with the "DO NOT TRUST" tag that the vendors should have replaced, according to a report from the Binarly Research Team.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.