Vicious SharkBot banking trojan discovered in Play Store antivirus app

The SharkBot remote access banking trojan was first spotted in the wild in October 2021. Security researchers atCleafydiscovered it and concluded it was one of a kind, with no connection to malware likeTeaBotorXenomorph— and it had some notably sophisticated and insidious functions. One, Automatic Transfer System (ATS), is new to Android and lets attackers move money automatically out of the victim’s accounts, with no human intervention needed. And as British IT security researchers discovered, an updated SharkBot is hiding inside an innocent-looking antivirusappwhich is still available on the Google Play Store as of Saturday.

Sign up forfree

Forgot your password?

Create an account

*Required: 8 chars, 1 capital letter, 1 number

By continuing, you agree to thePrivacy PolicyandTerms of Use.You also agree to receive our newsletters, you can opt-out any time.

4

According to NCC, SharkBot can perform an “overlay attack” the moment it detects an active banking app. It throws up a screen that looks like the bank in question, ready for you to feed it your login credentials. The program also activates a keylogger that sends whatever you type to the attacker’s servers — and it doesn’t just intercept SMS messages but can hide them, too. The software can even hijack incoming notifications and send out messages that originate with the attacker’s command and control. Ultimately, SharkBot can use these methods to completely own an Android smartphone.

Fortunately, this particular malicious app hasn’t spread much further than 1,000 downloads — so far. However, if youhavedownloaded the fake “Antivirus, Super Cleaner” from the Play Store, delete it immediately and consider the possibility you may need to fully wipe your phone. This is one shark you won’t see coming thanks to a dorsal fin sticking out of the water.

Image of swimming shark

The note-taking app I should have used all along

Broader branding hints at wider paid-tier ambitions

article limit background

PlayStation Plus subscribers of all tiers are getting access to three excellent titles, including Psychonauts 2, in September

Boost Mobile sees changes, too

Screen capture of malware-infected app

Goodbye, text-only analysis

Pixelsnap on a Pixel 9

Samsung Notes logo in front of image containing S Pen and devices using Samsung Notes