Security News > 2022 > March > SharkBot malware hides as Android antivirus in Google Play

SharkBot banking malware has infiltrated the Google Play Store, the official Android app repository, posing as an antivirus with system cleaning capabilities.

SharkBot was discovered in Google Play by researchers at the NCC Group, who today published a detailed technical analysis of the malware.

Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device.

To perform the above, SharkBot abuses the Accessibility permission on Android and then grants itself additional permissions as needed.

One of the notable differences between SharkBot and other Android banking trojans is the use of the relatively new components that leverages the 'Direct reply' feature for notifications.

SharkBot can now intercept new notifications and reply to them with messages coming directly from the C2. As noted in the NCC report, SharkBot uses this feature to drop feature-rich payloads onto the compromised device by replying with a shortened Bit.ly URL. The initial SharkBot dropper app contains a light version of the actual malware to reduce the risk of detection and app store rejections.

News URL

https://www.bleepingcomputer.com/news/security/sharkbot-malware-hides-as-android-antivirus-in-google-play/