Malicious applications masquerading as antivirus solutions on the Google Play Store have been identified by security experts. These dangerous apps contain the SharkBot trojan, whose targets are Android devices. SharkBot stands for an info-stealer whose purpose is credentials and banking info theft.
How the Sharkbot Campaign Unfolds
Researchers from Checkpoint have published a report on the discovered campaign, explaining how SharkBot works. Once installed, the trojan leverages DGA to trick victims into entering their credentials in little windows that look to be standard input forms.
It takes advantage of Android’s Accessibility Service to display bogus overlay windows over authentic banking apps. Besides, it can also auto-reply to Facebook Messenger and WhatsApp messages in order to promote links to bogus antivirus programs.
The trojan also uses a geofencing function to prevent targeting devices in India, China, Russia, Ukraine, Belarus, and Romania and checks if it is running in a sandbox to avoid being examined.
Sharkbot steals credentials and banking information. The malware implements a geofencing feature and evasion techniques that makes it stand out in the field. It also makes use of Domain Generation Algorithm (DGA), an aspect rarely used in the world of Android malware. Sharkbot lures victims to enter their