Soap Suds: The Return of SharkBot

Hank Schless  00:10

Hi everybody, you're listening to Soapsuds, our five minute podcast series where we go over current events in cybersecurity, and review the lessons learned. I'm your host, Hank Schless. Today, we're going to talk about the notorious Android banking Trojan known as SharkBot, which has once again made an appearance in the Google Play Store by masquerading as an antivirus app and also as a cleaner app. So today, what we're going to do is we're going to go over what's changed in this new iteration of the malware, who is at risk, and what people can do to protect themselves against it. So this is the second iteration of SharkBot, which is a banking Trojan that was first discovered back in October 2021. This newer version targets the banking credentials of Android users specifically through two apps that collectively had over 60,000 installations. The good news is that these so-called dropper apps, which are applications built with little to no malicious code but will connect back to a malicious host so the attacker can deliver a payload to the device, were discovered and subsequently removed from the Google Play Store. However, further analysis of the command and control servers shows that Android users in the UK, Italy, Spain, Australia, Poland, Germany, the United States, and Austria were targets of this banking Trojan. The interesting thing is that to avoid detection in the Play Store, these two dropper apps use a less sophisticated approach, as I mentioned before, but even less sophisticated than previously seen with SharkBot droppers. These ones specifically rely on the user unwittingly allowing the installation of the malicious package, rather than the tactics they used in the past where they attempted to implant it on the user's device automatically. From a code perspective, this is much simpler and is likely a deliberate decision by the threat actors to prevent droppers’ code from being scrutinized, in addition to relatively little malicious code. The apps on the Play Store also leverage localization checks, because they want to maintain a low profile, for unlimited attempts to drop the malicious package or malware only on the device that matches the intended victim profile. Now, it's common for malicious app developers to create a seemingly harmless or innocuous app that they know will likely get through the automated approvals and beyond major app stores. Attackers will usually stick to things like utility apps, maybe a QR code, scanner, flashlights, photo filters, PDF scanners –– these are typically apps that people download out of necessity, and won't put as much time or effort into looking at reviews that may impact their decision as to whether they download the app or not. Malware developers have also been known to purchase utility apps from their original developers, once they have a critical mass of downloads. This is basically an alternative route, but it can be just as effective. If the app is already on the App Store, has decent reviews, and has been downloaded by tens of thousands of users, then the malicious actor can simply hide their malicious code, and update in order to infect the existing user base. So how can you protect yourself? While we all want to think that the app stores are perfect safe havens, the fact is, is that nothing is perfect. And you know, while they do have security safeguards in place, threat actors continue to invent new ways to circumvent these safeguards and get malicious software onto the stores. These stores do have strong protections in place to prevent malware from sneaking in. But as proven by these two dropper apps, malware can sometimes slip through the cracks or the attackers use something like a dropper app to avoid detection and eventually deliver a malicious payload to the device after it's been downloaded. So if you ever see any request to install or update packages from unknown sources, immediately deny that request on your device. We're also wired to just accept whatever notifications we see on our screen. In this case, you should exercise some serious caution. Now, every time the app prompts you to update it, it should redirect you to an official app store, whether that's the Play Store or the iOS App Store, depending on what platform you're using. If it doesn't, again, that should be a huge red flag, it should not be trusted. And honestly, you should just delete the app and report it at that point. To wrap it up:   

while this particular piece of malware targets mobile bankers, the same tactic can be used to target accounts for work related apps like Google Drive, Office 365, Outlook –– other apps that we all use every day, and this would pose a serious risk for any organization that relies on these apps for their employees to be productive from their mobile devices. This discovery really highlights how malware evolves and can reappear with more advanced features. Protecting yourself against banking Trojans and other mobile malware requires a security tool built specifically for mobile because mobile security solutions can be backed by massive threat intelligence datasets that protect you from threats like SharkBot, because with a massive dataset like this, these solutions can observe components of software and indicate that it has malicious intent, especially because a lot of malware is reused. Now, Lookout first detected SharkBot and its data corpus in November of 2021, and automatically pushed protection to all of its users. Since then, Lookout researchers have observed a number of cases where the malware has appeared in our dataset and our customer base. And then we've also discovered about 25 dropper apps. So it's evident that as the malware continues to evolve, these numbers will grow as well. So that's this week. Soapsuds. Thanks so much for listening again. I'm your host Hank Schless.