Updated SharkBot Variant Makes its Way into Google Play Store

What's new?

• The latest version of the SharkBot malware is using Automatic Transfer Systems (ATS) to transfer money by abusing the Accessibility permission on devices and grants itself additional required permissions.
• It can, therefore, know whenever a user opens a banking app to launch matching web injections and steal credentials.

Key functionalities

• Injections help the malware steal credentials by WebView using a fake login website (phishing). 
• Using keylogging capabilities, it steals credentials by logging accessibility events and sending logs to the C2 server.
• Further, it intercepts or hides SMS messages while also obtaining full remote control of an Android device via Accessibility Services.

Auto-reply feature

• This feature is used to drop feature-rich payloads onto the infected device by replying with a shortened Bit.ly URL. The initial dropper app has a light version of the malware to avoid detection and rejections by app stores.
• Using the auto-reply feature, the entire SharkBot version featuring ATS is fetched directly from the C2 and installed automatically. Moreover, the C2 relies on a DGA that makes it harder to detect/block the command-issuing domains.

Conclusion