Hi Guys,

Researchers from the NCC Group have discovered a new version of the SharkBot banking malware, posing as an antivirus tool. If you have downloaded an Antivirus tool called ‘Antivirus, Super Cleaner’ in the past few days, please remove it immediately and contact our support team as your device is most likely infected with Sharkbot malware.

What can SharkBot do?

NCC reports that the four primary functions in SharkBot’s latest version are:

  • Injections (overlay attack): SharkBot can steal credentials by showing a WebView with a fake log in website (phishing) as soon as it detects the official banking app has been opened.
  • Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text fields changes and buttons clicked) and sending these logs to the command and control server (C2).
  • SMS intercept: Sharkbot has the ability to intercept/hide SMS messages.
  • Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device (via Accessibility Services).

In addition, Sharkbot attempts to make automatic money transfers from any bank account attached to your smartphone. It does this by simulating screen and keyboard presses on your phone. This malware can empty your bank account in seconds.

How can you stay safe?

  • Only ever install apps from the Google Play Store, and before you install, check how many reviews the app has. (This is the most important thing to do)
  • Never install an app from a website that you do not trust. You can use Incognito Website Checker, and we will tell you if it is safe or not.
  • During installation, pay attention to the requested permissions and do not grant any permissions that appear unnecessary for the app’s core functionality.
  • You can also use Incognito’s App Check tool to check what permissions an installed app already has on your device. If you use this feature, you will be stunned by some of the permissions your installed apps already have. I suggest you use this tool to check what apps have what permissions on your device. Does a torchlight app need to be able to make phone calls etc.?
  • Keep an eye on battery consumption; if your device goes dead fast, it is a clear sign go malware infection
  • Also, keep an eye on network traffic volumes to identify any spikes as this can be a sign of malicious processes running in the background.

Please let me know if you need any more information, and please also share this tip with family, friends, and work colleagues.

All the best,

Max Roberts,
Incognito Privacy Care team.