Sharkbot malware bites again

Recently the researchers from the Check Point Research (CPR) team warned users over still present danger of Sharkbot malware found this year on Google Play. Although the findings were immediately reported to Google and removed, the team says they found new malicious Sharkbot applications.

What is Sharkbot malware?

Sharkbot is an Android stealer that pretends to be an AV solution on Google Play. This malware steals banking information and credentials while implementing geofencing and other evasive techniques that make it really stand out. An interesting aspect that cybersecurity specialists point out to — a Domain Generation Algorithm (DGA) — is a thing rarely used among Android malware.

On the victim’s device the malware creates windows that mimic benign credential input forms, luring victims into entering their credentials.

The compromised data is then sent to a malicious server. Sharkbot uses its geofencing feature to target only specific victims excluding users from Ukraine, Belarus, Romania, Russia, India and China. In addition it won’t work if executed in a sandbox.

Sharkbot malware bites again
The applications found to be malicious

In the Google Play store the CheckPoint Research (CPR) team in total spotted six various applications that were spreading malware. According to the information received from those applications at the moment of discovery were already downloaded and installed roughly 15 thousand times.

Three developer accounts accused of spreading the malware: Bingo Like Inc, Adelmio Pagnotto and Zbynek Adamcik. Under the close inspection by cybersecurity specialists it became known that two of the mentioned accounts were already active in the fall of 2021.

Sharkbot malware bites again
Statistics on malicious apps

Some of the apps that presumably belonged to these accounts were removed from Google Play but still exist on unofficial sites. Cybersecurity specialists explain that this could mean that developers of Sharkbot try to stay as unnoticed as possible while still conducting malicious activity.

Technical analysis of Sharkbot

Commands

To speak about malware’s main functionality Sharkbot operates with traditional Android bankers and stealers toolkits. Cybersecurity specialists found 27 versions of the bot.

In total, Sharkbot can implement 22 commands. With the use of a Command-and-Control server (CnC) on the compromised device, threat actors can perform various types of malicious actions.

Those performed commands are the following:

removeApp

Actually this is not a command but a field of the updateConfig command. During the execution of this command the server creates an extensive list of apps that should be uninstalled from the victim’s device. Currently the list holds 680 application names.

autoReply

The same, this is not the actual command but a field in the updateConfig command. During this command the server sends a message imitating an answer on push events.

Swipe

This command imitates the user’s swipe on the screen of a device. Cybersecurity specialists assume this was done to enable threat actors to open the application or the whole device.

APP_STOP_VIEW

Here the CnC creates package names and then the Accessibility Service doesn’t allow users to access the named apps.

sendPush

The command shows a user a push message with designated text.

iWantA11

Enables the Accessibility Service for Sharkbot.

getDoze

Disables battery optimization for Sharkbot’s package.

changeSmsAdmin

Collects the names of old and currently used default SMS applications to the malicious CnC.

collectContacts

Collects and sends stolen contacts to malicious servers.

uninstallApp

This command uninstalls the named in the package app.

smsSend

The action checks if the permission for sending SMSs has been granted. If the permission is granted the malware can then read and send SMSs.

There are also some minor commands responsible for mostly inner work of the Sharkbot.

Sharkbot malware bites again
Sharkbot server activity registered by the team

Network

There’s not that much malware that can work without CnC server communication. Bankers and stealers are those that need the communication with CnC server. And here comes an interesting fact about this particular malware.

When threat actors have all their servers blocked they can use Domain Generation Algorithm, the thing that almost never is used in Android malware, but Sharkbot is an exception.

DGA is an algorithm where a malicious client and malicious actor change the CnC server without any communication taking place. With this algorithm it’s harder to block malware operator’s servers.

DGA will consist of two parts: the actual algorithm, and the constants that this algorithm uses. The constants are called DGA seeds.

Protocol and a knock-packet

The exchange in CnC server takes place over HTTP with POST request on path /. Both requests and answers are encrypted with RC4.

From time to time in the clearly set period of time the bot will send a knock-packet to the server. By default, the packet will be sent every 30 seconds. The time period can be changed with the command updateTimeKnock.

Infrastructure

At the time of publishing a report, the Check Point Research (CPR) team found 8 IP addresses which were used at different times by Sharkbot operators.

Researchers assume that there’s actually one real server and the others are simply relays. The peak activity of the malicious operation increased in March; cybersecurity specialists connected the fact to the active use of Sharkbot’s dropper on Google Play.

Sharkbot malware bites again
Targets` statistics

According to the location based statistics the main targets were in the United Kingdom and Italy.

Droppers

At the beginning, the malware gets downloaded and installed masqueraded as an AV solution. Once on the victim’s machine the Sharkbot detects emulators and if one is found it quits running.

In case if an emulator is found, no communications with CnC will happen. But the malware won’t be running at all if the locale is Ukraine, Belarus, Russia, Romania, India and China.

That part of the application that is controlled by the CnC server understands 3 commands:

  • Downloading and installing the APK file from the provided URL;
  • Storing the autoReply field in a local session;
  • Restarting the execution of the local session;

All of them will request the same set of permissions.

Subsequently they will register the service in order to get access to Accessibility Events.

Conclusion

In the fast pace of today’s life sometimes you can miss a red sign of malwareness in an app store. At the last the CheckPoint Research Team gave short advises on how to avoid the malicious apps especially those like this one masqueraded as an AV solution:

  • Immediately report all suspicious apps you encounter on store;
  • Avoid downloading an application from a new publisher, instead try to find an analogous one from a trusted publisher;
  • Install applications only from trusted and well known publishers.

Even though Google immediately removed the malicious applications they were already downloaded 15,000 thousand times. The damage is done. The fact shows once again that user awareness still should be taken into account when deciding on whether to download an app or not.

Andrew Nail

Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

Leave a Reply

Back to top button