SharkBot Malware-targeting Crypto App Resurface on Google Play
An updated version of a banking and crypto program that targets viruses has reappeared in the Google Play Store. It can get through fingerprint and authentication standards and grab cookies from account logins. On September 2, in addition to their jointly written post for Fox IT, malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel tweeted a warning about the new malware variant.
How Deplorable is This App?
The new virus, which Segura claims was found on August 22, can “perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services,” among other things.
Two Android apps, “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have subsequently had 50,000 and 10,000 downloads, respectively, were found to contain the latest malware version.
Although it has now been taken down from the store, the two apps were first accepted onto the Play Store because Google’s automated code review did not find any dangerous code.
Some experts advise manually removing the apps that individuals who downloaded them may still be at risk.
Thorough Research
An extensive study by the Italian security company Cleafy revealed that SharkBot had identified 22 targets, including five crypto exchanges and many foreign banks in the United States, the United Kingdom, and Italy.
The SharkBot virus’s older iteration “relied on accessibility permissions to automatically perform the installation of the dropper SharkBot malware,” according to its mode of attack.
However, the latest version is distinctive since it asks the user to install the malware as a phony update for the antivirus to protect it against attacks.
After being installed, SharkBot can use the command logsCookie to steal a victim’s legitimate session cookie if they log into their bank or crypto account, effectively bypassing any fingerprinting or authentication measures.
According to Cleafy’s first assessment of SharkBot, the program’s main goal was “to provoke cash transfers from the compromised units by way of Computerized Switch Techniques (ATS) that bypasses multi-factor authentication measures.”
Past Experience
SharkBot was first described in November 2021, only available through external application stores. The major goal of the threat was to exploit Automatic Transfer Systems (ATS) to start unlawful money transfers by pre-filling forms in valid applications.
SharkBot’s first dropper was a fake antivirus program discovered in Google Play. It was determined that it was a trojan that had been degraded only to include the bare minimum of functions but was still capable of subsequently retrieving and installing the full version.
Four SharkBot droppers were discovered by Check Point in Google Play around the same time NCC Group released their report on the Android trojan, which was reported to Google. They were deleted from the official app store on March 9 and were passed off as security and optimization apps.
However, over the course of several weeks, the researchers noticed persistent efforts on the part of the trojan’s developers to have a dropper made available on Google Play. Before anyone could download them, at least two were removed the same day they were uploaded.
When SharkBot is installed on an Android smartphone, it prompts the user to provide access to the Android Accessibility feature by asking for permissions that give it authority over the device. By displaying phony login windows, it can steal user credentials in addition to carrying out illegal money transfers.
Along with using geofencing to exclude users from Belarus, China, India, Romania, Russia, and Ukraine, the threat also employs a domain generation algorithm (DGA), which generates about 56 new domains each week. The researchers also found eight IP addresses to be used by the virus for command and control (C&C).
