SharkBot Trojan Spread Via Android File Manager Apps

Also see: Live webinar | How to achieve your Zero Trust goals through advanced endpoint strategies

Cybersecurity company Bitdefender say it found applications in the Google Play Store disguised as file managers that “acted as droppers for SharkBot bankers shortly after installation, depending on the user’s location”.

“The Google Play Store would likely detect a banker trojan uploaded to their repository, so criminals resort to more covert methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as dropper for more insidious malware,” say Bitdefender researchers.

The apps discovered by Bitdefender are disguised as file managers and require permission to install third party packages, leading to malware downloads.

“Since Google Play apps only require the functionality of a file manager to install another app and the malicious behavior is triggered for a limited group of users, they are difficult to detect,” researchers say.

However, the apps have been removed for now, and researchers warn that they still exist on the web in several third-party stores, making them a current threat.

Users, mainly from the UK and Italy, have mostly downloaded the apps and a small minority in other countries.

Traditionally, a banking trojan collects user credentials and other sensitive financial and personal information stored on a device to use in future online fraud or phishing campaigns.

X file manager

Bitdefender researchers discovered the X-File Manager application from Google Play with more than 10,000 installations before it was removed.

This application installs a sample SharkBot labeled _File Manager and tricks the user into thinking that an update to the app needs to be installed.

“The developer profile on Google Play seems to be visible only to users from Italy and Great Britain. It is not possible to access the page without specifying the country code,” researchers say.

Bitdefender also says that multiple users have reported about the app and it has received several negative reviews, especially from Italy.

Upon further analysis of the X-File Manager app, Bitdefender researchers discovered that the app required multiple permissions from users, including:

• READ_EXTERNAL_STORAGE;
• WRITE_EXTERNAL_STORAGE
• GET_ACCOUNTS
• REQUEST_INSTALL_PACKAGES
• QUERY_ALL_PACKAGES;
• REQUEST_DELETE_PACKAGES.

They also found that the application performs anti-emulator checks and targets users from UK and Italy by verifying whether the SIM ISO matches IT or GB.

“It also checks whether the users have installed at least one of the targeted banking applications on their devices,” researchers say. “The application executes a request on the URI, downloads the package and writes the malicious payload to the device.”

The dropper finally fakes an update for the current application to complete the installation process and prompts users to install the deleted APK.

Previous attack incidents

This isn’t the first time Sharkbot operators have used the Google Play Store. In September, cybersecurity company Fox-IT announced uncovered that the operators behind SharkBot spread the malware on now-deactivated applications that already have tens of thousands of installations.

The malicious apps, called Mister Phone Cleaner and Kylhavy Mobile Security, have been downloaded 50,000 and 10,000 times, according to Fox-IT. The malware mainly targeted victims in Spain, Australia, Poland, Germany, the United States and Austria.

Cleafy cybersecurity researchers identified the trojan in October 2021, when the operators targeted bank and crypto service customers in the UK, Italy and the US through sideloading and social engineering campaigns.

In the previous update of the Sharkbot trojan, victims’ session cookies were stolen that contain data when they log into their bank accounts. It detects the action of a victim opening a banking application and performs an additional injection or an overlay attack to steal credentials.