In a blog post, NCC Group researchers said shortly after they published the original blogpost, they found several more SharkBot droppers in the Play Store.
According to the researchers, all of the SharkBot droppers appear to behave identically: the code seems to be a “copy-paste” in all of them. In addition, the same corresponding command and control (C2) server has been used for all the other droppers.
NCC Group researchers said they reported their findings to Google in all cases after discovery; all four of the apps have since been removed from the Google Play Store.
The SharkBot Android trojan can elude MFA on banking apps on Android smartphones, putting users’ financial data and money at risk, said Damon Ebanks, vice president at Veridium. Ebanks said this could lead to financial institutions having to invest in resources to recoup stolen funds.
“Google Play Protect should have prevented this from happening,” Ebanks said. “The whole point behind the idea of an App Store was to create a place for curated apps that are safe. The world will begin to wonder why we should have a one walled app store if anything can get listed."
SharkBot’s capabilities follow those of typical banking trojans that we see across both iOS and Android devices, said Hank Schless, senior manager, security solutions at Lookout. Schless said aside from actually building a fake version of a legitimate banking app, this strategy of implementing screen overlay attacks and keylogging is typically how trojans are effective. He said the added functionality of intercepting SMS messages would also let the threat actor see any multi-factor authentication codes that were sent to the device.
“While the app stores have security safeguards in place, threat actors continue to innovate on new ways to circumvent those safeguards and get malicious software into those stores,” Schless said. “This shows how important it is to protect your smartphones and tablets in the same way you would a laptop or desktop. The tactics used with Sharkbot could be tweaked to just as easily steal login credentials for other services like healthcare or retail apps, and even be programmed to steal corporate login credentials.”