Check Point Research discovered at least six separate applications on Google Play over the last month that were posing as legitimate antivirus software but were being utilized to install SharkBot on the smartphones of users who downloaded the apps. In the relatively short time that they were available, the six apps were downloaded over 15,000 times from three different developer accounts.
The malware, dubbed “next-generation” by its discoverer, exploits hacked Android devices to steal money from bank accounts while the victim is logged in, circumventing multi-factor authentication safeguards in the process. SharkBot can also steal credentials and credit card information, and it comes with several capabilities that make detection more difficult or time-consuming.
SharkBot’s use of the Domain Generation Algorithm (DGA) to continually switch up its C2 domains, which makes blocking the threat more difficult, is something Check Point hackers rarely seen in Android malware. SharkBot also has a geofencing feature that prevents the virus from executing on Android devices in China, Russia, Ukraine, India, Belarus, and Romania.
“A malicious client and hostile actor can update the C2 server in concert, without any communication,” explains Alexander Chailytko, Check Point Software’s cybersecurity research, and innovation manager. Sharkbot can produce 35 domains per week using DGA, which complicates the task of blocking malware operators’ servers, according to him.
Because all of SharkBot’s harmful actions are triggered via the command-and-control server, Chailytko claims that the malicious app can remain in an “OFF” state in Google Play for a test period and then become “ON” once it reaches the users’ devices.
A week later, Google removed the rogue apps from Google Play. Check Point detected two more apps with the malware on Google Play less than a week later — and then again a week later. Google’s security staff acted fast on both occasions to eliminate the dangers before they could be downloaded by consumers.