threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/google-play-bitten-sharkbot/179252/
Submission: On April 14 via api from IN — Scanned from DE
Submission: On April 14 via api from IN — Scanned from DE
Form analysis 4 forms found in the DOM
POST /google-play-bitten-sharkbot/179252/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/google-play-bitten-sharkbot/179252/#gf_5">
<div class="gform_body gform-body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_8">Your name</label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"> </div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_1">Your e-mail address<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice gchoice_5_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice gchoice_5_5_1">
<input class="gfield-choice-input" name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Phone</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_5_10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button screen-reader-text" value="Subscribe"
onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" disabled="disabled"
style="display: none;"> <input type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1649942004926">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="179252" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="eabf9e4938"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="DFIpe3Z2ps8zdnpn52N97hrwv" name="pjGzuOJ9W1IkfW80c3MBf3VdE">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="1649942005068">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
* Your name
* Your e-mail address*
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Phone
This field is for validation purposes and should be left unchanged.
Δ
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* SSRF Flaw in Fintech Platform Allowed for Compromise of Bank AccountsPrevious
article
* Microsoft Takes Down Domains Used in Cyberattack Against UkraineNext article
GOOGLE PLAY BITTEN BY SHARKBOT INFO-STEALER ‘AV SOLUTION’
Author: Elizabeth Montalbano
April 8, 2022 12:06 pm
3:30 minute read
Write a comment
Share this article:
*
*
Google removed six different malicious Android applications targeting mainly
users in the U.K. and Italy that were installed about 15,000 times.
Researchers have found the info-stealing Android malware Sharkbot lurking
unsuspected in the depths of the Google Play store under the cover of anti-virus
(AV) solutions.
While analyzing suspicious applications on the store, the Check Point Research
(CPR) team found what purported to be genuine AV solutions downloading and
installing the malware, which steals credentials and banking info from Android
devices but also has a range of other unique features.
“Sharkbot lures victims to enter their credentials in windows that mimic benign
credential input forms,” CPR researchers Alex Shamsur and Raman Ladutska wrote
in a report published Thursday. “When the user enters credentials in these
windows, the compromised data is sent to a malicious server.”
Researchers discovered six different applications—including ones named Atom
Clean-Booster, Antivirus; Antvirus Super Cleaner; and Center
Security-Antivirus—spreading Sharkbot. The apps came from three developer
accounts–Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc.—at least two of
which were active in the autumn of last year. The timeline makes sense, as
Sharkbot first came onto researchers’ radar screens in November.
“Some of the applications linked to these accounts were removed from Google
Play, but still exist in unofficial markets,” researchers wrote. “This could
mean that the actor behind the applications is trying to stay under the radar
while still involved in malicious activity.”
Google removed the offending applications, but not before they were downloaded
and installed about 15,000 times, researchers said. Primary targets of Sharkbot
are users in the United Kingdom and Italy, as was previously the case, they
said.
UNIQUE ASPECTS
CPR researchers peered under the hood of Sharkbot and uncovered not only typical
info-stealing tactics, but also some characteristics that set it apart from
typical Android malware, researchers said. It includes a geofencing feature that
selects users based on geographic areas, ignoring users from China, India,
Romania, Russia, Ukraine or Belarus, they said.
Sharkbot also boasts some clever techniques, researchers noted. “If the malware
detects it is running in a sandbox, it stops the execution and quits,” they
wrote.
Another unique hallmark of the malware is that it makes use of Domain Generation
Algorithm (DGA), an aspect rarely used in malware for the Android platform,
researchers said.
“With DGA, one sample with a hardcoded seed generates seven domains per week,”
they wrote. “Including all the seeds and algorithms we have observed, there is a
total of 56 domains per week, i.e., 8 different combinations of seed/algorithm.”
Researchers observed 27 versions of Sharkbot in their research; the main
difference between versions was different DGA seeds as well as different
botnetID and ownerID fields, they said.
All in all, Sharkbot implements 22 commands that allow various malicious actions
to be executed on a user’s Android device, including: requesting permission for
sending SMS messages; uninstalling a given applications; sending the device’s
contact list to a server; disabling battery optimization so Sharkbot can run in
the background; and imitating the user’s swipe over the screen.
TIMELINE OF ACTIVITY
Researchers first discovered four applications of the Sharkbot Dropper on Google
Play on Feb. 25 and shortly thereafter reported their findings to Google on
March 3. Google removed the applications on March 9 but then another Sharkbot
dropper was discovered six days later, on March 15.
CPR reported the third dropper discovered immediately and then found two more
Sharkbot droppers on March 22 and March 27 that they also reported quickly to
Google for removal.
The droppers by which Sharkbot spreads in and of themselves should raise
concern, researchers said. “As we can judge by the functionality of the
droppers, their possibilities clearly pose a threat by themselves, beyond just
dropping the malware,” they wrote in the report.
Specifically, researchers found the Sharkbot dropper masquerading as the
following applications on Google Play;
* com.abbondioendrizzi.tools[.]supercleaner
* com.abbondioendrizzi.antivirus.supercleaner
* com.pagnotto28.sellsourcecode.alpha
* com.pagnotto28.sellsourcecode.supercleaner
* com.antivirus.centersecurity.freeforall
* com.centersecurity.android.cleaner
The droppers also have a few of their own evasion tactics, such as detecting
emulators and quitting if one is found, researchers noted. They also are able to
inspect and act on all the UI events of the device as well as replace
notifications sent by other applications.
“In addition, they can install an APK downloaded from the CnC, which provides a
convenient starting point to spread the malware as soon as the user installs
such an application on the device,” researchers added.
GOOGLE PLAY UNDER FIRE
Google has long struggled with the persistence of malicious applications and
malware on its Android app store and has made significant efforts to clean up
its act.
However, the emergence of Sharkbot disguised as AV solutions shows that
attackers are getting sneakier in how they hide their malicious activity on the
platform, and could serve to damage users’ confidence in Google Play, noted a
security professional.
“Malware apps that conceal their malicious functionality with time delays, code
obfuscation and geofencing can be challenging to detect during the app review
process, but the regularity that they are discovered lurking in official app
stores really damages user trust in the safety of all apps on the platform,”
observed Chris Clements, vice president of solutions architecture at security
firm Cerberus Sentinel, in an email to Threatpost.
With the smartphone at the center of people’s digital lives and actins as a hub
of financial, personal and work activity, “any malware that compromises the
security of such a central device can do significant financial or reputational
damage,” he added.
Another security professional urged caution to Android users when deciding
whether or not to download a mobile app from a reputable vendor’s store, even if
it’s a trusted brand.
“When installing apps from various technology stores, it is best to research the
app before downloading it,” observed James McQuiggan, security awareness
advocate at KnowBe4. “Cybercriminals love to trick users into installing
malicious apps with hidden functionalities in an attempt to steal data or take
over accounts.”
Write a comment
Share this article:
* Malware
* Mobile Security
SUGGESTED ARTICLES
MENSWEAR BRAND ZEGNA REVEALS RANSOMWARE ATTACK
Accounting materials from the Italy-based luxury fashion house were leaked
online by RansomExx because the company refused to pay.
April 12, 2022
MICROSOFT TAKES DOWN DOMAINS USED IN CYBERATTACK AGAINST UKRAINE
The APT28 (Advanced persistence threat) is operating since 2009, this group has
worked under different names such as Sofacy, Sednit, Strontium Storm, Fancy
Bear, Iron Twilight, and Pawn.
April 11, 2022
MACOS MALWARE: MYTH VS. TRUTH – PODCAST
Huntress Labs R&D Director Jamie Levy busts the old “Macs don’t get viruses”
myth and offers tips on how MacOS malware differs and how to protect against it.
April 7, 2022
1
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* THE UNCERTAIN FUTURE OF IT AUTOMATION
March 8, 2022
1
* 6 CYBER-DEFENSE STEPS TO TAKE NOW TO PROTECT YOUR COMPANY
February 25, 2022
2
* THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART II
February 24, 2022
2
* 3 TIPS FOR FACING THE HARSH TRUTHS OF CYBERSECURITY IN 2022, PART I
February 9, 2022
* ‘LONG LIVE LOG4SHELL’: CVE-2021-44228 NOT DEAD YET
February 4, 2022
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Critical worms and zero-days (one under active exploit) for @Microsoft
#patchtuesday 😳https://t.co/PbAoSzvXVy
19 hours ago
Follow @threatpost
NEXT 00:02 01:33 360p 720p HD 1080p HD Auto (360p) About Connatix V158870 Closed
Captions About Connatix V158870
1/1 Skip Ad Continue watching after the ad Visit Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE
Notifications