SharkBot Trojan Spread Via Android File Manager Apps

Cybercrime, Cybercrime-as-a-service, Fraud Management and Cybercrime

Now-removed apps have 10,000 downloads, goal victims in UK, Italy

Prajeet Nair (@prajeetspeaks) •
November 26, 2022

The operators behind financial institution Trojan SharkBot goal Google Play customers by masquerading as now-defunct Android file supervisor apps and have tens of 1000’s of installs thus far.

See additionally: Live Webinar | How to attain your zero-trust objectives via superior endpoint methods

Cybersecurity agency Bitdefender says it discovered apps within the Google Play retailer that masquerade as file managers and shortly after set up “act as droppers for SharkBot bankers, depending on the user’s location.”

“The Google Play Store is likely to detect a trojan banker uploaded to their repository, so criminals are turning to more covert methods. One way is with an app, sometimes legitimate with some of the advertised features, that acts as a dropper for more insidious malware,” Bitdefender researchers say.

The purposes uncovered by Bitdefender are disguised as file managers and require permission to put in exterior packages, resulting in the obtain of malware.

“Since Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is enabled for a limited pool of users, it is a challenge to detect it,” say researchers.

However, the apps are being eliminated for now, and researchers warn that they’re nonetheless current everywhere in the internet in numerous third-party shops, making them a present menace.

Users primarily from the UK and Italy downloaded the apps more often than not and a small minority in different nations.

Traditionally, a banking Trojan harvests consumer credentials and different delicate monetary and private data saved in a tool to be used in future on-line fraud or phishing campaigns.

X file supervisor

Researchers at Bitdefender found the app X-File Manager from Google Play with greater than 10,000 installs earlier than it was deleted.

This app installs a SharkBot occasion labeled _File Manager and methods the consumer into considering that an replace to the app must be put in.

“The developer profile on Google Play appears to be visible only to users from Italy and Great Britain. Accessing its page without specifying the country code is not possible,” say researchers.

Bitdefender additionally says that a number of customers have reported the app and it has acquired a number of unfavorable opinions, particularly from Italy.

Further evaluation of the X-File Manager utility, researchers at Bitdefender uncovered that the appliance requires a number of permissions from customers which embody:

• READ_EXTERNAL_STORAGE;
• WRITE_EXTERNAL_STORAGE
• GET_BILLS
• REQUEST_INSTALL_PACKAGES
• QUERY_ALL_PACKAGES;
• REQUEST_DELETE_PACKAGES.

They additionally discovered that the app runs anti-emulator checks and targets customers from Great Britain and Italy by verifying whether or not the SIM ISO matches IT or GB.

“It also checks if the users have at least one of the targeted banking apps installed on their devices,” say researchers. “The application executes a request at URI, downloads the package, and writes the malicious payload to the device.”

The dropper finally fakes an replace for the present app to finish the set up course of and prompts customers to put in the leaked APK.

Previous assault incidents

This just isn’t the primary time Sharkbot operators have used the Google Play Store. In September, cybersecurity agency Fox-IT revealed that the operators behind SharkBot had been spreading the malware on apps that had already been disabled and that already had tens of 1000’s of installations.

The malicious apps, referred to as Mister Phone Cleaner and Kylhavy Mobile Security, had been downloaded 50,000 and 10,000 occasions, Fox-IT mentioned. The malware primarily focused victims in Spain, Australia, Poland, Germany, the United States and Austria.

Cybersecurity researchers at Cleafy recognized the Trojan in October 2021, when the operators focused banking and crypto service clients within the UK, Italy and the US by way of sideloading and social engineering campaigns.

The earlier replace of the Sharkbot trojan was seen stealing session cookies from victims which embody information from after they log into their financial institution accounts. It detects the actions of a sufferer opening a banking utility and performs an extra injection or a spoof assault to steal credentials.