Recently the researchers from the Check Point Research (CPR) team warned users over still present danger of Sharkbot malware found this year on Google Play. Although the findings were immediately reported to Google and removed, the team says they found new malicious Sharkbot applications.
What is Sharkbot malware?
Sharkbot is an Android stealer that pretends to be an AV solution on Google Play. This malware steals banking information and credentials while implementing geofencing and other evasive techniques that make it really stand out. An interesting aspect that cybersecurity specialists point out to — a Domain Generation Algorithm (DGA) — is a thing rarely used among Android malware.
On the victim’s device the malware creates windows that mimic benign credential input forms, luring victims into entering their credentials.
The compromised data is then sent to a malicious server. Sharkbot uses its geofencing feature to target only specific victims excluding users from Ukraine, Belarus, Romania, Russia, India and China. In addition it won’t work if executed in a sandbox.
In the Google Play store the CheckPoint Research (CPR) team in total spotted six various applications that were spreading malware. According to the information received from those applications at the moment of discovery were already downloaded and installed roughly 15 thousand times.
Three developer accounts accused of spreading the malware: Bingo Like Inc, Adelmio Pagnotto and Zbynek Adamcik. Under the close inspection by cybersecurity specialists it became known that two of the mentioned accounts were already active in the fall of 2021.
Some of the apps that presumably belonged to these accounts were removed from Google Play but still exist on unofficial sites. Cybersecurity specialists explain that this could mean that developers of Sharkbot try to stay as unnoticed as possible while still conducting malicious activity.
Technical analysis of Sharkbot
Commands
To speak about malware’s main functionality Sharkbot operates with traditional Android bankers and stealers toolkits. Cybersecurity specialists found 27 versions of the bot.
In total, Sharkbot can implement 22 commands. With the use of a Command-and-Control server (CnC) on the compromised device, threat actors can perform various types of malicious actions.
Those performed commands are the following:
removeApp
Actually this is not a command but a field of the updateConfig command. During the execution of this command the server creates an extensive list of apps that should be uninstalled from the victim’s device. Currently the list holds 680 application names.
autoReply
The same, this is not the actual command but a field in the updateConfig command. During this command the server sends a message imitating an answer on push events.
Swipe
This command imitates the user’s swipe on the screen of a device. Cybersecurity specialists assume this was done to enable threat actors to open the application or the whole device.
APP_STOP_VIEW
Here the CnC creates package names and then the Accessibility Service doesn’t allow users to access the named apps.
sendPush
The command shows a user a push message with designated text.
iWantA11
Enables the Accessibility Service for Sharkbot.
getDoze
Disables battery optimization for Sharkbot’s package.
changeSmsAdmin
Collects the names of old and currently used default SMS applications to the malicious CnC.
collectContacts
Collects and sends stolen contacts to malicious servers.
uninstallApp
This command uninstalls the named in the package app.
smsSend
The action checks if the permission for sending SMSs has been granted. If the permission is granted the malware can then read and send SMSs.
There are also some minor commands responsible for mostly inner work of the Sharkbot.
Network
There’s not that much malware that can work without CnC server communication. Bankers and stealers are those that need the communication with CnC server. And here comes an interesting fact about this particular malware.
When threat actors have all their servers blocked they can use Domain Generation Algorithm, the thing that almost never is used in Android malware, but Sharkbot is an exception.
DGA is an algorithm where a malicious client and malicious actor change the CnC server without any communication taking place. With this algorithm it’s harder to block malware operator’s servers.
DGA will consist of two parts: the actual algorithm, and the constants that this algorithm uses. The constants are called DGA seeds.
Protocol and a knock-packet
The exchange in CnC server takes place over HTTP with POST request on path /. Both requests and answers are encrypted with RC4.
From time to time in the clearly set period of time the bot will send a knock-packet to the server. By default, the packet will be sent every 30 seconds. The time period can be changed with the command updateTimeKnock.
Infrastructure
At the time of publishing a report, the Check Point Research (CPR) team found 8 IP addresses which were used at different times by Sharkbot operators.
Researchers assume that there’s actually one real server and the others are simply relays. The peak activity of the malicious operation increased in March; cybersecurity specialists connected the fact to the active use of Sharkbot’s dropper on Google Play.
According to the location based statistics the main targets were in the United Kingdom and Italy.
Droppers
At the beginning, the malware gets downloaded and installed masqueraded as an AV solution. Once on the victim’s machine the Sharkbot detects emulators and if one is found it quits running.
In case if an emulator is found, no communications with CnC will happen. But the malware won’t be running at all if the locale is Ukraine, Belarus, Russia, Romania, India and China.
That part of the application that is controlled by the CnC server understands 3 commands:
- Downloading and installing the APK file from the provided URL;
- Storing the autoReply field in a local session;
- Restarting the execution of the local session;
All of them will request the same set of permissions.
Subsequently they will register the service in order to get access to Accessibility Events.
Conclusion
In the fast pace of today’s life sometimes you can miss a red sign of malwareness in an app store. At the last the CheckPoint Research Team gave short advises on how to avoid the malicious apps especially those like this one masqueraded as an AV solution:
- Immediately report all suspicious apps you encounter on store;
- Avoid downloading an application from a new publisher, instead try to find an analogous one from a trusted publisher;
- Install applications only from trusted and well known publishers.
Even though Google immediately removed the malicious applications they were already downloaded 15,000 thousand times. The damage is done. The fact shows once again that user awareness still should be taken into account when deciding on whether to download an app or not.