A newly upgraded version of a banking and crypto app targeting malware has recently resurfaced on the Google Play store, now with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements.
A warning about the new version of the malware was shared by malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel on Twitter accounts on Sept. 2, sharing their co-authored article on Fox IT’s blog.
We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! Great work @Mike_stokkel! https://t.co/uXt7qgcCXb
— Alberto Segura (@alberto__segura) September 2, 2022
According to Segura, the new version of the malware was discovered on Aug. 22, and can “perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services.”
The new malware version was found in two Android apps — “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have since amassed 50,000 and 10,000 downloads respectively.
The two apps were able to initially make it to the Play Store as Google’s automated code review did not detect any malicious code. However, it has since been removed from the store.
However, the 60,000 users who installed the apps may still be at risk and should remove the apps manually, observers have suggested.
An in-depth analysis by Italian-based security firm Leafy found that 22 targets had been identified by SharkBot, which included five cryptocurrency exchanges and a number of international banks in the US, UK, and Italy.
As for the malware’s mode of attack, the earlier version of the SharkBot malware “relied on accessibility permissions to automatically perform the installation of the dropper SharkBot malware.”
But this new version is different in that it “asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.”
If installed, once the victim logs into their bank or crypto account, SharkBot is able to snatch their valid session cookie via the command “logsCookie”, which essentially bypasses any fingerprinting or authentication methods used.
This is interesting!
Sharkbot Android malware is cancelling the “Log in with your fingerprint” dialogs so that users are forced to enter the username and password
(according to @foxit blog post) pic.twitter.com/fmEfM5h8Gu
— Łukasz (@maldr0id) September 3, 2022
The first version of the SharkBot malware was first discovered by Cleafy in Oct. 2021.
According to Cleafy’s first analysis on SharkBot, the main goal of SharkBot was “to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms.”