AL2022_57 Android devices infiltrated by malware through fake Antivirus and Cleaner apps (8th September 2022)

Description 

The notorious banking trojan SharkBot has resurfaced once again on the Google Play Store, disguised behind Antivirus and Cleaner applications, dropping a new version of the malware.  

Summary 

In April of 2022, researchers have found the Sharkbot malware pretending to be Antivirus and cleaners solutions on six applications in the Google Play store. These are Atom Clean-Booster Antivirus, Antivirus Super Cleaner, Alpha Antivirus Cleaner, Powerful Cleaner Antivirus and Center Security Antivirus (two applications with the same name from the same developer account). These applications were removed from the Google Play store. However, before it was removed, it was downloaded and installed approximately fifteen thousand times. What was also interesting, is that the malware displayed a geofencing feature which allows it to identify and attack specific targets in countries excluding China, India, Romania, Russia, Ukraine and Belarus.

Fast forward to August of 2022, the Sharkbot malware was seen by researchers, disguised as two new Antivirus solutions, Kylhavy Mobile Security and Mister Phone Cleaner,dropping a newer version of the malware, version 2.25. Both applications have seen over sixty thousand installations between them, targeting users in Spain, Australia, Poland, Germany, the U.S., and Austria. Sharkbot aims at stealing credentials and banking information. However, the new version includes an updated command and control (C2) domain communication, new domain generation algorithm (DGA) and fully refactored code. A newly introduced function to the malware is the ability to steal session cookies when victims log in to their bank accounts.  

How it works 

Before installation of the malware, the Sharkbot dropper checks the device’s SIM provider country code to see if the device is in the list of the targeted countries. The dropper relies on abusing the Android’s accessibility permissions in order to install the malware. The dropper does so by making a request to the C2 server which then provides a URL to download the malware onto the device. The dropper abuses the access permissions again to automatically install the malware. However, the newer version of Sharkbot uses a different approach by making a request to the C2 server and receives the APK file of the malware. It does so by using a POST request body with a JSON object containing the malware and the body of the request is encrypted using RC4 and a hard coded key. The malware is installed by prompting the user to install the APK file as an update to the fake Antivirus software. Once installed, the malware via the Antivirus will ask the user to grant it accessibility permissions.  

The features of the Sharkbot malware includes overlay attacks where it steals credentials by providing a WebView of a fake login whenever a banking application is opened; it can steal credentials by logging accessibility events such as changes to text fields and buttons clicked; it has the ability to intercept SMS messages on the device and it can obtain full remote control of a device via Accessibility Services. The new feature in 2.25 includes cookie stealing which allows the malware to steal the session cookies when a victim logs into a banking application and these cookies can be used to replicate the session in a WebView. All captured information is exfiltrated to the malware’s C2 server.  

Indicators of Compromise  

The following hashes and strings correspond to files linked to the Sharkbot malware: 

Sharkbot Google Play links:

  • hxxps://play.google.com/store/apps/details?id=com.kylhavy.antivirus
  • hxxps://play.google.com/store/apps/details?id=com.mbkristine8.cleanmaster

Sharkbot C2 domains:

  • hxxp://mefika.me/

Sharkbot DGA C2 domains:

  • 23080420d0d93913.live - 185.212.47.113
  • 7f3e61be7bb7363d.live - 185.212.47.113

Sharkbot 2.25

  • Hash: 7f2248f5de8a74b3d1c48be0db574b1c6558d6edae347592b29dc5234337a5ff
  • C2 domain: hxxp://browntrawler.store/ - 185.212.47.113

Remediation 

To circumvent this type of malware, users are advised to follow the steps below: 

  1. Download apps from trusted sources. Only download apps from trusted sources. For untrusted apps, research the app and developer and be sure to check the reviews and look for any signs of malicious activity.
  2. Have a reliable security solution. A reliable mobile security solution can identify malicious apps on your device and remove them. A security solution is your first line of defense against threats like the SharkBot malware.
  3. Be wary of applications asking for accessibility permissions. Accessibility services allow an application to take control of your device. Be extremely careful when granting applications access especially if it is not a reputable or trusted application.

The Guyana National CIRT recommends that users and administrators review this alert and make changes where necessary.  

PDF Download: Android_devices_infiltrated_by_sharkbot_malware.pdf

References