Researchers have found the info-stealing Android malware Sharkbot lurking unsuspected in the depths of the Google Play store under the cover of anti-virus (AV) solutions.
While analyzing suspicious applications on the store, the Check Point Research (CPR) team found what purported to be genuine AV solutions downloading and installing the malware, which steals credentials and banking info from Android devices but also has a range of other unique features.
“Sharkbot lures victims to enter their credentials in windows that mimic benign credential input forms,” CPR researchers Alex Shamsur and Raman Ladutska wrote in a report published Thursday. “When the user enters credentials in these windows, the compromised data is sent to a malicious server.”
Researchers discovered six different applications—including ones named Atom Clean-Booster, Antivirus; Antvirus Super Cleaner; and Center Security-Antivirus—spreading Sharkbot. The apps came from three developer accounts–Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc.—at least two of which were active in the autumn of last year. The timeline makes sense, as Sharkbot first came onto researchers’ radar screens in November.
“Some of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets,” researchers wrote. “This could mean that the actor behind the applications is trying to stay under the radar while still involved in malicious activity.”
Google removed the offending applications, but not before they were downloaded and installed about 15,000 times, researchers said. Primary targets of Sharkbot are users in the United Kingdom and Italy, as was previously the case, they said.
CPR researchers peered under the hood of Sharkbot and uncovered not only typical info-stealing tactics, but also some characteristics that set it apart from typical Android malware, researchers said. It includes a geofencing feature that selects users based on geographic areas, ignoring users from China, India, Romania, Russia, Ukraine or Belarus, they said.
Sharkbot also boasts some clever techniques, researchers noted. “If the malware detects it is running in a sandbox, it stops the execution and quits,” they wrote.
Another unique hallmark of the malware is that it makes use of Domain Generation Algorithm (DGA), an aspect rarely used in malware for the Android platform, researchers said.
“With DGA, one sample with a hardcoded seed generates seven domains per week,” they wrote. “Including all the seeds and algorithms we have observed, there is a total of 56 domains per week, i.e., 8 different combinations of seed/algorithm.”
Researchers observed 27 versions of Sharkbot in their research; the main difference between versions was different DGA seeds as well as different botnetID and ownerID fields, they said.
All in all, Sharkbot implements 22 commands that allow various malicious actions to be executed on a user’s Android device, including: requesting permission for sending SMS messages; uninstalling a given applications; sending the device’s contact list to a server; disabling battery optimization so Sharkbot can run in the background; and imitating the user’s swipe over the screen.
Timeline of Activity
Researchers first discovered four applications of the Sharkbot Dropper on Google Play on Feb. 25 and shortly thereafter reported their findings to Google on March 3. Google removed the applications on March 9 but then another Sharkbot dropper was discovered six days later, on March 15.
CPR reported the third dropper discovered immediately and then found two more Sharkbot droppers on March 22 and March 27 that they also reported quickly to Google for removal.
The droppers by which Sharkbot spreads in and of themselves should raise concern, researchers said. “As we can judge by the functionality of the droppers, their possibilities clearly pose a threat by themselves, beyond just dropping the malware,” they wrote in the report.
Specifically, researchers found the Sharkbot dropper masquerading as the following applications on Google Play;
The droppers also have a few of their own evasion tactics, such as detecting emulators and quitting if one is found, researchers noted. They also are able to inspect and act on all the UI events of the device as well as replace notifications sent by other applications.
“In addition, they can install an APK downloaded from the CnC, which provides a convenient starting point to spread the malware as soon as the user installs such an application on the device,” researchers added.
Google Play Under Fire
Google has long struggled with the persistence of malicious applications and malware on its Android app store and has made significant efforts to clean up its act.
However, the emergence of Sharkbot disguised as AV solutions shows that attackers are getting sneakier in how they hide their malicious activity on the platform, and could serve to damage users’ confidence in Google Play, noted a security professional.
“Malware apps that conceal their malicious functionality with time delays, code obfuscation and geofencing can be challenging to detect during the app review process, but the regularity that they are discovered lurking in official app stores really damages user trust in the safety of all apps on the platform,” observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, in an email to Threatpost.
With the smartphone at the center of people’s digital lives and actins as a hub of financial, personal and work activity, “any malware that compromises the security of such a central device can do significant financial or reputational damage,” he added.
Another security professional urged caution to Android users when deciding whether or not to download a mobile app from a reputable vendor’s store, even if it’s a trusted brand.
“When installing apps from various technology stores, it is best to research the app before downloading it,” observed James McQuiggan, security awareness advocate at KnowBe4. “Cybercriminals love to trick users into installing malicious apps with hidden functionalities in an attempt to steal data or take over accounts.”