Tuesday, July 23, 2024

Dangerous SharkBot Malware Back on Google Play as Fake Antivirus Apps

Fox IT has observed an upgraded version of the SharkBot malware active in the Google Play and dropping a new version of Sharkbot. This new dropper requests the user to install the malware as a fake update for the antivirus to stay protected against threats.

Researchers identified two SharkbotDopper apps such as “Mister Phone Cleaner” and “Kylhavy Mobile Security” active in Google Play Store with nearly 10K and 50K installations respectively. 

The earlier variants of the dropper doesn’t depend on Accessibility permissions to automatically to install the Sharkbot malware, instead the new versions asks the victim to install the malware.

Upgraded Version of the SharkBot Malware

The malware is active since October 2021, SharkBot is a banking Trojan, that allows stealing banking account credentials and bypass multi-factor authentication mechanisms.

Experts at Cleafy, an Italian online fraud management and prevention company, found SharkBot in October 2021 and in March 2022, NCC Group found the first apps carrying it on the Google Play.

Researchers at ThreatFabric noticed SharkBot 2 that came with a domain generation algorithm (DGA), an updated communication protocol, and a fully refactored code. On the 22nd of August 2022, Fox-IT’s Threat Intelligence team found a new Sharkbot sample with version 2.25; communicating with command-and-control servers. This version brings in a new feature to steal session cookies from the victims that logs into their bank account.

According to the blog post from Fox IT, “Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this not the case in this new version of the dropper for Sharkbot.”

In this case, the dropper will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did, say the Fox IT team.

Encrypted POST request for downloading SharkBot (Fox IT)

The dropper the POST request body with a JSON object containing information about the infection and body of the request is encrypted using RC4 and a hard coded key. Now the dropper will request the user to install this APK as an update for the fake antivirus. 

“To make detection of the dropper by Google’s review team even harder, the malware contains a basic configuration hard coded and encrypted using RC4”, Fox IT.

In SharkBot 2.25, the overlay, SMS intercept, remote control, and keylogging systems are still present but a cookie logger feature has been added on top of them. This new feature allows Sharkbot to receive an URL and a User-Agent value – using a new command ‘logsCookie’, these will be used to open a WebView loading this URL – using the received User-Agent as header.

Function to Steal Cookies (Fox IT)

Therefore, researchers say the list of targeted countries has developed including Spain, Australia, Poland, Germany, United States of America and Austria. Particularly, the new targeted applications are not targeted using the typical webinjections, but they are targeted using the keylogging – grabber – features.

Secure Azure AD Conditional Access – Download Free White Paper


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles