Monday, May 5, 2025
HomeAndroidDangerous SharkBot Malware Back on Google Play as Fake Antivirus Apps

Dangerous SharkBot Malware Back on Google Play as Fake Antivirus Apps

Published on

SIEM as a Service

Follow Us on Google News

Fox IT has observed an upgraded version of the SharkBot malware active in the Google Play and dropping a new version of Sharkbot. This new dropper requests the user to install the malware as a fake update for the antivirus to stay protected against threats.

Researchers identified two SharkbotDopper apps such as “Mister Phone Cleaner” and “Kylhavy Mobile Security” active in Google Play Store with nearly 10K and 50K installations respectively. 

The earlier variants of the dropper doesn’t depend on Accessibility permissions to automatically to install the Sharkbot malware, instead the new versions asks the victim to install the malware.

- Advertisement - Google News

Upgraded Version of the SharkBot Malware

The malware is active since October 2021, SharkBot is a banking Trojan, that allows stealing banking account credentials and bypass multi-factor authentication mechanisms.

Experts at Cleafy, an Italian online fraud management and prevention company, found SharkBot in October 2021 and in March 2022, NCC Group found the first apps carrying it on the Google Play.

Researchers at ThreatFabric noticed SharkBot 2 that came with a domain generation algorithm (DGA), an updated communication protocol, and a fully refactored code. On the 22nd of August 2022, Fox-IT’s Threat Intelligence team found a new Sharkbot sample with version 2.25; communicating with command-and-control servers. This version brings in a new feature to steal session cookies from the victims that logs into their bank account.

According to the blog post from Fox IT, “Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this not the case in this new version of the dropper for Sharkbot.”

In this case, the dropper will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did, say the Fox IT team.

Encrypted POST request for downloading SharkBot (Fox IT)

The dropper the POST request body with a JSON object containing information about the infection and body of the request is encrypted using RC4 and a hard coded key. Now the dropper will request the user to install this APK as an update for the fake antivirus. 

“To make detection of the dropper by Google’s review team even harder, the malware contains a basic configuration hard coded and encrypted using RC4”, Fox IT.

In SharkBot 2.25, the overlay, SMS intercept, remote control, and keylogging systems are still present but a cookie logger feature has been added on top of them. This new feature allows Sharkbot to receive an URL and a User-Agent value – using a new command ‘logsCookie’, these will be used to open a WebView loading this URL – using the received User-Agent as header.

Function to Steal Cookies (Fox IT)

Therefore, researchers say the list of targeted countries has developed including Spain, Australia, Poland, Germany, United States of America and Austria. Particularly, the new targeted applications are not targeted using the typical webinjections, but they are targeted using the keylogging – grabber – features.

Secure Azure AD Conditional Access – Download Free White Paper

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

North Korean Hacker Tries to Infiltrate Kraken Through Job Application

Leading cryptocurrency exchange Kraken has disclosed that it recently thwarted an infiltration attempt by...

Multiple Flaws in Tenda RX2 Pro Let Attackers Gain Admin Access

Security researchers have uncovered a series of critical vulnerabilities in the Tenda RX2 Pro...

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated,...