A new and updated version of the SharkBot malware has returned to Google's Play Store, targeting Android users' banking logins via apps with tens of thousands of installations. When submitted to Google's automatic review, the malware was found in two Android apps that did not contain any malicious code. SharkBot, on the other hand, is added in an update that takes place after the user installs and launches the dropper apps.
According to a blog post by Fox IT, a division of the NCC Group, the two malicious apps are "Mister Phone Cleaner" and "Kylhavy Mobile Security," which have 60,000 installations combined. Although the two apps have been removed from Google Play, users who have installed them are still at risk and will require to uninstall them manually.
SharkBot has advanced now
SharkBot was discovered in October 2021 by malware analysts at Cleafy, an Italian online fraud management and prevention company. NCC Group discovered the first apps carrying it on Google Play in March 2022.
At the time, the malware was capable of performing overlay attacks, stealing data through keylogging, intercepting SMS messages, and granting threat actors complete remote control of the host device by abusing the Accessibility Services.
ThreatFabric researchers discovered SharkBot 2 in May 2022, which included a domain generation algorithm (DGA), an updated communication protocol, and completely refactored code. On August 22, Fox-IT researchers discovered a new version of the malware (2.25) that adds the ability to steal cookies from bank account logins.
“Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this is not the case in this new version of the dropper for Sharkbot. The dropper instead will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did,” Fox IT says.
When the dropper app is installed, it contacts the command and control (C2) server and requests the malicious SharkBot APK file. The dropper then notifies the user that an update is available and instructs them to install the APK and grant all necessary permissions. SharkBot stores its hard-coded configuration in encrypted form using the RC4 algorithm to make automated detection more complicated.
About cookie-loving Sharkbot
SharkBot 2.25 retains the overlay, SMS intercept, remote control, and keylogging systems, but a cookie logger has been added on top of them. When the victim logs into their bank account, SharkBot uses a new command ("logsCookie") to steal their valid session cookie and send it to the C2.
Cookies are useful for account takeovers because they contain software and location information that help bypass fingerprinting checks or, in some cases, the user authentication token itself. Throughout the investigation, Fox IT personnel discovered new SharkBot campaigns in Europe (Spain, Austria, Germany, Poland, and Austria) and the United States.
The researchers discovered that the malware uses the keylogging feature in these attacks to steal sensitive information directly from the official app it targets. Fox IT expects SharkBot campaigns to continue and the malware to evolve now that an improved version of the malware is available.
