Crypto app targeting SharkBot malware reappears in Google’s app store
A recently upgraded version of a banking and crypto app targeted by malware has recently resurfaced in the Google Play Store, now with the ability to steal cookies from account logins and bypass fingerprint or authentication requirements.
A warning about the new version of malware was shared by malware analyst Alberto Segura and process intelligence analyst Mike Stokkel on Twitter accounts on September 2, and shared their co-authored article on Fox IT’s blog.
We discovered a new version of #SharkbotDropper in Google Play is used to download and install #Sharkbot! The found droppers were used in a campaign targeting the UK and IT! Great work @Mike_stokkel! https://t.co/uXt7qgcCXb
— Alberto Segura (@alberto__segura) 2 September 2022
According to Segura, the new version of the malware was discovered on August 22, and can “perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the accessibility services.” “
The new malware version was found in two Android apps – “Mister Phone Cleaner” and “Kylhavy Mobile Security”, which have since amassed 50,000 and 10,000 downloads respectively.
The two apps only made it to the Play Store when Google’s automatic code review failed to detect any malicious code. However, it has since been removed from the store.
However, the 60,000 users who installed the apps may still be at risk and should remove the apps manually, observers have suggested.
An in-depth analysis by Italian-based security firm Leafy found that 22 targets had been identified by SharkBot, which included five cryptocurrency exchanges and a number of international banks in the US, UK and Italy.
Regarding the malware’s mode of attack, the previous version of the SharkBot malware “relied on accessibility permissions to automatically perform the installation of the dropper SharkBot malware.”
But this new version is different in that it “asks the victim to install malware as a fake update for the antivirus to stay protected from threats.”
If installed, when the victim logs into their bank or crypto account, SharkBot is able to capture their valid session cookie via the “logsCookie” command, essentially bypassing any fingerprint or authentication method used.
This is interesting!
Sharkbot Android malware interrupts “Sign in with fingerprint” dialog boxes forcing users to enter username and password
(according to @foxit blog post) pic.twitter.com/fmEfM5h8Gu— Łukasz (@maldr0id) 3 September 2022
Related: Sneak fake Google Translate app installs cryptomines on 112,000 PCs
The first version of the SharkBot malware was first discovered by Cleafy in October 2021.
According to Cleafy’s initial analysis on SharkBot, the main objective of SharkBot was “to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique that bypasses multi-factor authentication mechanisms.”