SharkBot malware reappears on Google Play store

SharkBot malware which was found last October has continued to expand with new ways to hack Android crypto and bank apps.
SharkBot malware reappears on Google Play store
SharkBot malware reappears on Google Play store

Recently, a banking and cryptocurrency software that targets malware reappeared on the Google Play store with an updated version that can now steal cookies from account logins and get through fingerprint or authentication constraints.

On September 2, malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel tweeted a warning about the latest version of the malware on their Twitter accounts, linking to a report they co-authored for Fox IT.

The new malware, which Segura claims was found on August 22, has the ability to “perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services,” among other things.

Two Android apps, “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have subsequently had 50,000 and 10,000 downloads, respectively, were found to contain the latest malware version.

As no dangerous code was found by Google’s automated code review, the two apps were initially accepted into the Play Store. It was later taken out of the shop, though.

The 60,000 users who installed the apps, however, may still be at risk and should manually remove them, according to analysts.

Five cryptocurrency exchanges and a number of foreign institutions in the US, UK, and Italy were among the 22 targets identified by SharkBot, according to an in-depth investigation by the Italian security company Leafy.

The older SharkBot virus “relied on accessibility permissions to automatically complete the installation of the dropper SharkBot malware,” according to the malware’s mode of attack.

The latest version, however, is distinctive since it “asks the user to install the malware as a phony update for the antivirus to keep protected against attacks.”

If SharkBot is installed, it can use the command “logsCookie” to steal the victim’s legitimate session cookie once they log into their bank or cryptocurrency account, effectively bypassing any fingerprinting or authentication measures.

Cleafy made the initial discovery of the SharkBot virus in October 2021.

SharkBot’s primary objective, according to Cleafy’s first investigation, was “to begin money transfers from the infected devices via Automatic Transfer Systems (ATS) approach evading multi-factor authentication measures.”