Sjekk listen over programmer og programvare tilgjengelig på din PC som kan forårsake Notadsworld.com-problem

Nylig forskerne fra Check Point Research (HLR) teamet advarte brukere om fortsatt tilstedeværende fare for Sharkbot malware funnet i år på Google Play. Selv om funnene umiddelbart ble rapportert til Google og fjernet, teamet sier de har funnet nye ondsinnede Sharkbot-applikasjoner.

Hva er Sharkbot malware?

Sharkbot is an Android stealer that pretends to be an AV solution on Google Play. This malware steals banking information and credentials while implementing geofencing and other evasive techniques that make it really stand out. An interesting aspect that cybersecurity specialists point out to — a Domain Generation Algorithm (DGA) — is a thing rarely used among Android malware.

On the victim’s device the malware creates windows that mimic benign credential input forms, luring victims into entering their credentials.

The compromised data is then sent to a malicious server. Sharkbot uses its geofencing feature to target only specific victims excluding users from Ukraine, Hviterussland, Romania, Russland, India and China. In addition it won’t work if executed in a sandbox.

Sjekk listen over programmer og programvare tilgjengelig på din PC som kan forårsake Notadsworld.com-problem
The applications found to be malicious

In the Google Play store the CheckPoint Research (HLR) team in total spotted six various applications that were spreading malware. According to the information received from those applications at the moment of discovery were already downloaded and installed roughly 15 thousand times.

Three developer accounts accused of spreading the malware: Bingo Like Inc, Adelmio Pagnotto and Zbynek Adamcik. Under the close inspection by cybersecurity specialists it became known that two of the mentioned accounts were already active in the fall of 2021.

Sjekk listen over programmer og programvare tilgjengelig på din PC som kan forårsake Notadsworld.com-problem
Statistics on malicious apps

Some of the apps that presumably belonged to these accounts were removed from Google Play but still exist on unofficial sites. Cybersecurity specialists explain that this could mean that developers of Sharkbot try to stay as unnoticed as possible while still conducting malicious activity.

Technical analysis of Sharkbot

kommandoer

To speak about malware’s main functionality Sharkbot operates with traditional Android bankers and stealers toolkits. Cybersecurity specialists found 27 versions of the bot.

Totalt, Sharkbot can implement 22 kommandoer. With the use of a Command-and-Control server (CnC) on the compromised device, threat actors can perform various types of malicious actions.

Those performed commands are the following:

removeApp

Actually this is not a command but a field of the updateConfig command. During the execution of this command the server creates an extensive list of apps that should be uninstalled from the victim’s device. Currently the list holds 680 application names.

autoReply

trussel aktør kan skape, this is not the actual command but a field in the updateConfig command. During this command the server sends a message imitating an answer on push events.

Swipe

This command imitates the user’s swipe on the screen of a device. Cybersecurity specialists assume this was done to enable threat actors to open the application or the whole device.

APP_STOP_VIEW

Here the CnC creates package names and then the Accessibility Service doesn’t allow users to access the named apps.

sendPush

The command shows a user a push message with designated text.

iWantA11

Enables the Accessibility Service for Sharkbot.

getDoze

Disables battery optimization for Sharkbot’s package.

changeSmsAdmin

Collects the names of old and currently used default SMS applications to the malicious CnC.

collectContacts

Collects and sends stolen contacts to malicious servers.

uninstallApp

This command uninstalls the named in the package app.

smsSend

The action checks if the permission for sending SMSs has been granted. If the permission is granted the malware can then read and send SMSs.

There are also some minor commands responsible for mostly inner work of the Sharkbot.

Sjekk listen over programmer og programvare tilgjengelig på din PC som kan forårsake Notadsworld.com-problem
Sharkbot server activity registered by the team

Nettverk

There’s not that much malware that can work without CnC server communication. Bankers and stealers are those that need the communication with CnC server. And here comes an interesting fact about this particular malware.

When threat actors have all their servers blocked they can use Domain Generation Algorithm, the thing that almost never is used in Android malware, but Sharkbot is an exception.

DGA is an algorithm where a malicious client and malicious actor change the CnC server without any communication taking place. With this algorithm it’s harder to block malware operator’s servers.

DGA will consist of two parts: the actual algorithm, and the constants that this algorithm uses. The constants are called DGA seeds.

Protocol and a knock-packet

The exchange in CnC server takes place over HTTP with POST request on path /. Both requests and answers are encrypted with RC4.

From time to time in the clearly set period of time the bot will send a knock-packet to the server. Som standard, the packet will be sent every 30 sekunder. The time period can be changed with the command updateTimeKnock.

infrastruktur

At the time of publishing a report, the Check Point Research (HLR) team found 8 IP addresses which were used at different times by Sharkbot operators.

Researchers assume that there’s actually one real server and the others are simply relays. The peak activity of the malicious operation increased in March; cybersecurity specialists connected the fact to the active use of Sharkbot’s dropper on Google Play.

Sjekk listen over programmer og programvare tilgjengelig på din PC som kan forårsake Notadsworld.com-problem
Targets` statistics

According to the location based statistics the main targets were in the United Kingdom and Italy.

Droppers

At the beginning, the malware gets downloaded and installed masqueraded as an AV solution. Once on the victim’s machine the Sharkbot detects emulators and if one is found it quits running.

In case if an emulator is found, no communications with CnC will happen. But the malware won’t be running at all if the locale is Ukraine, Hviterussland, Russland, Romania, India and China.

That part of the application that is controlled by the CnC server understands 3 kommandoer:

  • Downloading and installing the APK file from the provided URL;
  • Storing the autoReply field in a local session;
  • Restarting the execution of the local session;

All of them will request the same set of permissions.

Subsequently they will register the service in order to get access to Accessibility Events.

Konklusjon

In the fast pace of today’s life sometimes you can miss a red sign of malwareness in an app store. At the last the CheckPoint Research Team gave short advises on how to avoid the malicious apps especially those like this one masqueraded as an AV solution:

  • Immediately report all suspicious apps you encounter on store;
  • Avoid downloading an application from a new publisher, instead try to find an analogous one from a trusted publisher;
  • Install applications only from trusted and well known publishers.

Even though Google immediately removed the malicious applications they were already downloaded 15,000 thousand times. The damage is done. The fact shows once again that user awareness still should be taken into account when deciding on whether to download an app or not.

Om Andrew Nail

Cybersikkerhetsjournalist fra Montreal, Canada. Studerte kommunikasjonsvitenskap ved Universite de Montreal. Jeg var ikke sikker på om en journalistjobb er det jeg vil gjøre i livet mitt, men i forbindelse med tekniske vitenskaper, det er akkurat det jeg liker å gjøre. Min jobb er å fange opp de nyeste trendene i cybersikkerhetsverdenen og hjelpe folk til å håndtere skadelig programvare de har på PC-ene sine.

Sjekk også

Fjern Smartsoftware.services Vis varsler

Fjern Smartsoftware.services Vis varsler

Til slutt rådet han en gang til brukere for å skjule noe sensitiv informasjon å bruke bare svarte felter som dekker hele teksten …

Fjern Omnatuor.com Vis varsler. What's it?

Fjern Omnatuor.com Vis varsler. Fjern Omnatuor.com Vis varsler?

Nylig publiserte forskere fra cybersikkerhetsselskapet Lumu Technologies et ganske informativt flashkort om løsepengevare. I …

Legg igjen et svar