Friday, November 1, 2024
HomeAndroidDangerous SharkBot Malware Back on Google Play as Fake Antivirus Apps

Dangerous SharkBot Malware Back on Google Play as Fake Antivirus Apps

Published on

Malware protection

Fox IT has observed an upgraded version of the SharkBot malware active in the Google Play and dropping a new version of Sharkbot. This new dropper requests the user to install the malware as a fake update for the antivirus to stay protected against threats.

Researchers identified two SharkbotDopper apps such as “Mister Phone Cleaner” and “Kylhavy Mobile Security” active in Google Play Store with nearly 10K and 50K installations respectively. 

The earlier variants of the dropper doesn’t depend on Accessibility permissions to automatically to install the Sharkbot malware, instead the new versions asks the victim to install the malware.

- Advertisement - SIEM as a Service

Upgraded Version of the SharkBot Malware

The malware is active since October 2021, SharkBot is a banking Trojan, that allows stealing banking account credentials and bypass multi-factor authentication mechanisms.

Experts at Cleafy, an Italian online fraud management and prevention company, found SharkBot in October 2021 and in March 2022, NCC Group found the first apps carrying it on the Google Play.

Researchers at ThreatFabric noticed SharkBot 2 that came with a domain generation algorithm (DGA), an updated communication protocol, and a fully refactored code. On the 22nd of August 2022, Fox-IT’s Threat Intelligence team found a new Sharkbot sample with version 2.25; communicating with command-and-control servers. This version brings in a new feature to steal session cookies from the victims that logs into their bank account.

According to the blog post from Fox IT, “Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this not the case in this new version of the dropper for Sharkbot.”

In this case, the dropper will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did, say the Fox IT team.

Encrypted POST request for downloading SharkBot (Fox IT)

The dropper the POST request body with a JSON object containing information about the infection and body of the request is encrypted using RC4 and a hard coded key. Now the dropper will request the user to install this APK as an update for the fake antivirus. 

“To make detection of the dropper by Google’s review team even harder, the malware contains a basic configuration hard coded and encrypted using RC4”, Fox IT.

In SharkBot 2.25, the overlay, SMS intercept, remote control, and keylogging systems are still present but a cookie logger feature has been added on top of them. This new feature allows Sharkbot to receive an URL and a User-Agent value – using a new command ‘logsCookie’, these will be used to open a WebView loading this URL – using the received User-Agent as header.

Function to Steal Cookies (Fox IT)

Therefore, researchers say the list of targeted countries has developed including Spain, Australia, Poland, Germany, United States of America and Austria. Particularly, the new targeted applications are not targeted using the typical webinjections, but they are targeted using the keylogging – grabber – features.

Secure Azure AD Conditional Access – Download Free White Paper

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...