Malicious Malware SharkBot Returns to Google Play to Steal Users' Credentials

Malicious Malware SharkBot Returns to Google Play to Steal Users’ Credentials

SharkBot malware, which targets Android users’ banking credentials through applications with tens of thousands of downloads, has come back in the Google Play Store. Two Android apps submitted to Google’s automated review did not include any dangerous code, but contained malware. However, SharkBot is only included in an update that happens after the user downloads and runs the dropper applications.

The two fraudulent applications are “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have a combined 60,000 installs, as per the blog post by Fox IT, a division of the NCC Group. Although Google Play has removed these two apps, anyone downloading them is still in danger and has to uninstall them manually.

SharkBot was found in October 2021 by malware researchers at the Italian online fraud management and prevention firm Cleafy. NCC Group discovered the first apps using it on Google Play in March 2022. The malware at that time was capable of overlay assaults, data theft by keylogging, SMS message interception, and total remote control of the host device for threat actors by exploiting the Accessibility Services.

SharkBot 2 was discovered in May 2022 by ThreatFabric researchers. This version of SharkBot had a domain generation algorithm (DGA), an improved communication protocol, and completely refactored code. On August 22, malware researchers at Fox IT found a new version of the infection (2.25), including the ability to harvest cookies from bank account logins. Additionally, unlike in the past, the new dropper applications don’t take advantage of the accessibility services.

“Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this is not the case in this new version of the dropper for Sharkbot,” said Fox IT. It added, “the dropper instead will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did.”

After being installed, the dropper app requests the malicious SharkBot APK file from the command and control (C2) server. Upon informing the user that an update is ready, the dropper asks that they install the APK and give the necessary rights. SharkBot maintains its hard-coded settings in encrypted form using the RC4 algorithm to make automatic detection more challenging.

SharkBot 2.25 still contains the overlay, remote control, SMS intercept, and keylogging systems, but a cookie logger has been added on top of these. SharkBot uses a new command (“logsCookie”) to capture the victim’s legitimate session cookie when they connect to their bank account and transmit it to the C2.

Because cookies contain software and geographical parameters that make it easier to go beyond fingerprinting checks and, in certain situations, the user authentication token, they help gain access to accounts. While conducting their study, Fox IT detected new SharkBot campaigns throughout Europe (Spain, Austria, Germany, Poland, Austria) and the United States. Researchers discovered that the virus directly collects critical information from the official app it targets, using the keylogging capability in these attacks. 

Fox IT anticipates that SharkBot efforts will continue and that the malware will evolve now that a better version of it is accessible.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.