Search This Blog

Showing posts with label Android Trojan. Show all posts

SharkBot Android Trojan Resurfaces On Google Play Store


Check Point researchers have unearthed multiple malicious Android apps on the Google Play Store posing as an antivirus applications to deploy the SharkBot Android trojan. 

The malicious banking trojan was initially spotted in November last year when it was only being deployed via third-party application stores. The primary motive was on initiating illegal money transfers via Automatic Transfer Systems (ATS) by auto-filling fields in authentic applications. 

Last month, NCC Group reported that multiple SharkBot droppers had infiltrated Google Play, all of which showed similar code and behavior. The first SharkBot dropper discovered in Google Play masqueraded as antivirus solutions. It was identified as a downgraded version of the trojan containing only minimum features, but capable of fetching and installing the full version at a later date. 

Apparently, on March 9th, Google removed four apps in question, and a few days after that, another SharkBot dropper was identified. The app was reported right away, so no installations for this one. The same happened on March 22 and 27. Those new droppers got removed from Google Play due to quick discovery. 

According to Check Point researchers, they identified a total of seven droppers in Google Play, published from developer accounts that were active in late 2021, and which had some of their applications removed from the store. However, these malicious apps have been already installed more than 15,000 times before the takedown from the store. 

Once installed on an Android device, SharkBot exploits Android's Accessibility Services permissions to present fake overlay windows on top of legitimate banking apps. Thus, when victims enter their usernames and passwords in the windows that mimic benign credential input forms, the stolen data is sent to a malicious server. 

“What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials,” NCC Group stated. 

The malicious Android trojan also employs geofencing features and bypassing techniques, which makes it unique from other mobile banking viruses. The particular features include ignoring the users from China. Romania, Russia, Ukraine, Belarus, India. The majority of victims reside in Italy and the United Kingdom.

Android Malware in Google Play Stealing Victim's Data


Cyber threat intelligence warned the users that an Android banking malware ‘TeaBot’ stealing users' private data and SMS messages has been downloaded thousands of times via Google Play Store. According to the experts, 'TeaBot,' is an Android banking trojan that first came to be known at the beginning of 2021 as a trojan designed to steal victims' text messages. 

According to the online fraud management and prevention solution Cleafy, in the initial phase, TeaBot was distributed through smashing campaigns using a predefined list of lures, such as VLC Media Player, TeaTV, DHL and UPS, and others. 

Following the incident, the researchers said that "In the last months, we detected a major increase of targets which now count more than 400 applications, including banks, crypto exchanges/wallets, and digital insurance, and new countries such as Russia, Hong Kong, and the US." 

From February, TeaBot Trojan has started supporting new foreign languages including Russian, Mandarin Chinese, and Slovak. It helps cybercriminals in displaying custom messages during the installation phases. 

On February 21, the Threat Intelligence and Incident Response (TIR) team from Cleafy has detected an application and published it on the official Google Play Store, which was acting as a dropper application delivering TeaBot with a fake update procedure. Once downloaded by the user, the dropper will ask them to update immediately through a popup message. 

"The dropper lies behind a common QR Code & Barcode Scanner and it has been downloaded more than 10,000 times. All the reviews display the app as legitimate and well-functioning," the team added.

Purple Fox Backdoor Identified in Malicious Telegram Installers


A novel technique to target computer systems has been discovered. According to a report published by joint efforts between Minerva Labs cybersecurity team, and a MalwareHunterTeam, trojanized installers of the Telegram messaging application are being circulated online to distribute the Purple Fox malware, a Windows-based rootkit that is used to install further malicious payloads on compromised devices. 

The installer for the malicious Telegram application is a compiled AutoIt script called "Telegram Desktop.exe" that drops two files, the legitimate Telegram installer, and a malicious downloader. While the legitimate Telegram installer dropped alongside the downloader isn't implemented, the AutoIT program does run the downloader TextInputh.exe. 

When executed, TextInputh.exe designs a folder named ("1640618495") under the C:\Users\Public\Videos\ directory, and then establishes a connection to the C2 to download a 7z utility and a RAR archive (1.rar). The archive contains the payload and the configuration files, while the 7z program unpack .RAR archives and a file used to load a malicious reflectively.DLL.

The next step includes the creation of a registry key to enable persistence on a compromised device, and five further files are dropped into the ProgramData folder to perform functions, including shutting down a wide spectrum of antivirus processes before Purple Fox is eventually executed.

The Purple Fox Trojan comes in two Windows variants i.e. 32-bit and 64-bit. In March last year, Guardicore Labs uncovered novel worm capabilities integrated into the malware, and thousands of susceptible servers were hijacked to host payloads of Purple Fox. 

Last year in October, a new backdoor named FoxSocket was discovered by Trend Micro researchers, which is believed to be a new inclusion to the existing abilities of the malware. The Purple Fox malware is going to be on the radar of security researchers for a while. It has a unique worm functionality and also contains a rootkit. It also employs stealth and has upgraded backdoors. This makes it worth observing and that is why many are keeping tabs on any developments. 

"The beauty of this attack is that every stage is separated to a different file which is useless without the entire file set," the researchers explained. "This helps the attacker protect his files from AV detection."

New Android Trojan SharkBot is Targeting Banking Apps to Steal Financial Credentials


Cybersecurity researchers have uncovered a new Android trojan that can circumvent multi-factor authentication on banking apps, putting users' financial data and money at risk.

Dubbed "SharkBot" by Cleafy researchers, the Android malware has been spotted in assaults across Europe and the United States to siphon credentials from smartphones using the Google Android operating system.

"The main goal of SharkBot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (e.g., SCA)," the researchers from cyber security firm Cleafy said in a report.

"Once SharkBot is successfully installed in the victim's device, attackers can obtain sensitive banking information through the abuse of Accessibility Services, such as credentials, personal information, current balance, etc., but also to perform gestures on the infected device." 

According to researchers, SharkBot is modular malware that belongs to the next generation of mobile malware able to perform attacks based on the Automatic Transfer System (ATS) system. The android trojan is equipped with several features, such as the ability to block legitimate banking communications sent via SMS, enable keylogging, and secure full remote control of the exploited devices.

Additionally, the malware poses as a media player, live TV, or data recovery apps and prompts users with rogue pop-ups to grant it wide permissions only to steal private details. Where it stands apart is the exploitation of accessibility settings to carry out ATS attacks, which allow the operators to "auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices to a money mule network controlled by the cybercriminals." 

The Android trojan employs different anti-analysis and detection techniques to bypass multi-factor authentication on banking apps, including running emulator checks, encrypting command-and-control communications with a remote server, and concealing the app's icon from the home screen post-installation. Till now, no samples of the malware have been spotted on the Google Play Store, depicting that the malicious apps are installed on the users' devices either via sideloading or social engineering techniques.

"The discovery of SharkBot in the wild show mobile malware are quickly finding new ways to perform fraud, trying to bypass behavioral detection countermeasures put in place by multiple banks and financial services during the last years," the researchers stated.