Categories: AndroidMalware

Dangerous SharkBot Malware Back on Google Play as Fake Antivirus Apps

Fox IT has observed an upgraded version of the SharkBot malware active in the Google Play and dropping a new version of Sharkbot. This new dropper requests the user to install the malware as a fake update for the antivirus to stay protected against threats.

Researchers identified two SharkbotDopper apps such as “Mister Phone Cleaner” and “Kylhavy Mobile Security” active in Google Play Store with nearly 10K and 50K installations respectively. 

The earlier variants of the dropper doesn’t depend on Accessibility permissions to automatically to install the Sharkbot malware, instead the new versions asks the victim to install the malware.

Upgraded Version of the SharkBot Malware

The malware is active since October 2021, SharkBot is a banking Trojan, that allows stealing banking account credentials and bypass multi-factor authentication mechanisms.

Experts at Cleafy, an Italian online fraud management and prevention company, found SharkBot in October 2021 and in March 2022, NCC Group found the first apps carrying it on the Google Play.

Researchers at ThreatFabric noticed SharkBot 2 that came with a domain generation algorithm (DGA), an updated communication protocol, and a fully refactored code. On the 22nd of August 2022, Fox-IT’s Threat Intelligence team found a new Sharkbot sample with version 2.25; communicating with command-and-control servers. This version brings in a new feature to steal session cookies from the victims that logs into their bank account.

According to the blog post from Fox IT, “Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this not the case in this new version of the dropper for Sharkbot.”

In this case, the dropper will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did, say the Fox IT team.

Encrypted POST request for downloading SharkBot (Fox IT)

The dropper the POST request body with a JSON object containing information about the infection and body of the request is encrypted using RC4 and a hard coded key. Now the dropper will request the user to install this APK as an update for the fake antivirus. 

“To make detection of the dropper by Google’s review team even harder, the malware contains a basic configuration hard coded and encrypted using RC4”, Fox IT.

In SharkBot 2.25, the overlay, SMS intercept, remote control, and keylogging systems are still present but a cookie logger feature has been added on top of them. This new feature allows Sharkbot to receive an URL and a User-Agent value – using a new command ‘logsCookie’, these will be used to open a WebView loading this URL – using the received User-Agent as header.

Function to Steal Cookies (Fox IT)

Therefore, researchers say the list of targeted countries has developed including Spain, Australia, Poland, Germany, United States of America and Austria. Particularly, the new targeted applications are not targeted using the typical webinjections, but they are targeted using the keylogging – grabber – features.

Secure Azure AD Conditional Access – Download Free White Paper

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago