SharkBot malware, which targets Android users’ banking credentials through applications with tens of thousands of downloads, has come back in the Google Play Store. Two Android apps submitted to Google’s automated review did not include any dangerous code, but contained malware. However, SharkBot is only included in an update that happens after the user downloads and runs the dropper applications.
The two fraudulent applications are “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have a combined 60,000 installs, as per the blog post by Fox IT, a division of the NCC Group. Although Google Play has removed these two apps, anyone downloading them is still in danger and has to uninstall them manually.
SharkBot was found in October 2021 by malware researchers at the Italian online fraud management and prevention firm Cleafy. NCC Group discovered the first apps using it on Google Play in March 2022. The malware at that time was capable of overlay assaults, data theft by keylogging, SMS message interception, and total remote control of the host device for threat actors by exploiting the Accessibility Services.
SharkBot 2 was discovered in May 2022 by ThreatFabric researchers. This version of SharkBot had a domain generation algorithm (DGA), an improved communication protocol, and completely refactored code. On August 22, malware researchers at Fox IT found a new version of the infection (2.25), including the ability to harvest cookies from bank account logins. Additionally, unlike in the past, the new dropper applications don’t take advantage of the accessibility services.
“Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this is not the case in this new version of the dropper for Sharkbot,” said Fox IT. It added, “the dropper instead will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did.”
After being installed, the dropper app requests the malicious SharkBot APK file from the command and control (C2) server. Upon informing the user that an update is ready, the dropper asks that they install the APK and give the necessary rights. SharkBot maintains its hard-coded settings in encrypted form using the RC4 algorithm to make automatic detection more challenging.
SharkBot 2.25 still contains the overlay, remote control, SMS intercept, and keylogging systems, but a cookie logger has been added on top of these. SharkBot uses a new command (“logsCookie”) to capture the victim’s legitimate session cookie when they connect to their bank account and transmit it to the C2.
Fox IT anticipates that SharkBot efforts will continue and that the malware will evolve now that a better version of it is accessible.