SharkBot Malware Returned to Google Play Store

SharkBot Malware Returned to Google Play Store

SharkBot malware has returned in a fresh and upgraded edition, according to a post published by security news website Bleeping Computer. The malware started showing up in October 2021 is targeting Android users’ banking credentials.

The malware can carry out “overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services,” according to the research. Researchers discovered the updated SharkBot 2.25 in August 2022, which includes the ability to steal cookies from bakery account logins. Additionally, unlike earlier versions, malware version 2.25 no longer takes advantage of the victim’s devices’ accessibility services.

The Android programs “Mister Phone Cleaner” and “Kylhavy Mobile Security” contain the malware. When the applications were submitted for automatic inspection by Google, no harmful code was present. After the user installed the application and started the dropper software, threat actors cunningly inserted the malware in the application update. Following dropper installation, the program contacts the command and control (C2) server and asks for the malicious SharkBot APK file. When a user takes this step, a dropper alerts them to an application update and asks for their permission to install the APK. To avoid detection, the malware has encrypted its hard-coded configuration using the RC4 method. When the victim logs into their banking account, the virus waits and steals personal

When the victim attempts to access their banking account, the malware waits for them to log in before stealing their active cookie session with the command “logscookies” and sharing it with their C2 server.

Together, the two malicious programs have amassed more than 60,000 installations. Although the apps are no longer available on Google Play, those who have downloaded them still face danger. It is encouraged for users to manually remove it from their devices.

Source

https://www.bleepingcomputer.com/news/security/sharkbot-malware-sneaks-back-on-google-play-to-steal-your-logins/

Related Publications

SharkBot malware plays ‘hide and seek’ as an Android antivirus in Google Play Store