SharkBot malware found on Google Play Store stealing login info again

PC cleaner and antivirus apps from Google Play Store found installing SharkBot Android malware

The banking malware again distributed via masqueraded apps

The information stealing and banking data-targeting Android malware was found installed with the help of applications masquerading as antivirus or cleaner applications on the official Google Play Store. The Android banking trojan SharkBot has made an appearance on the store a few times before, but the new upgraded version has now returned once again.^[1]

The threat targets banking login information and spreads via applications that have already gathered tens of thousands of installations from the store. Two particular Android applications that have been used for the distribution of the infection had no malicious code or features when these programs got submitted for automatic review before placing them for user access on the official Google Play Store.^[2]

These two malicious apps, Mister Phone Cleaner and Kylhavy Mobile Security, collectively gathered 60,000 installations.^[3] These programs have been removed from the Google Plat already, but users who already installed them can still be at risk and should search for the Android app ad remove them manually from the machine, clear any threats that raise suspicion, and clean machines with proper anti-malware tools.

New applications on the masqueraded list

The analysis of these newer samples and campaigns released recently shows that the threat is evolved and improved. The analysis from NCC Group's Fox-IT reports^[4] that the threat asks victims to install the particular virus as the fake update for the antivirus to stay protected against cyber threats instead of using the Accessibility permissions to trigger the drop automatically.

This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware

The application analysis also shows that these malicious pieces mainly targeted people in Spain, Australia, Germany, Poland, Austria, and the US. This threat was discovered back on October 2021, and these campaigns where malware is spread via Google Play Store apps started in March of this year.^[5]

At the time of previous campaigns, the malware was capable of performing overlay attacks and stealing data using keylogging, intercepting SMS messages, and giving threat actors remote control of the device by using Accessibility Services.^[6] Also, other researchers discovered that SharkBot 2 attacks in May 2022 came with the function of domain generation. The algorithm is used for updating the communication protocol and fully refactored code.

Improved Sharkbot Android banking malware

New versions of the same malware, which can be called SharkBot 2.25, were discovered on August 22. These campaigns show that on the capability list, the malware now has the function to steal cookies from bank account logins and the upper mentioned dropper function that is not using the Accessibility Services as the malware did before.

The dropper, once installed, can contact the C&C server and request the malicious SharkBot APK file. Users then receive alerts about available and required updates and ask them to allow the installation of the APK file and grant permissions that are required. This is how malware ends up on the machine with users' help.

This malware can even make automatic detection more difficult with hard-coded configuration stored in decrypted form using the RC4 algorithm. The malware has the main goal of getting cookies that are valuable for taking over accounts and contain software and location parameters that help to bypass fingerprint checks and other authentication. These improvements mean that ShardkBot malware will continue to evolve in the future.