SharkBot Malware Resurfaces on Google Play to Steal Users’ Credentials

  • An upgraded version of the SharkBot mobile malware has been spotted on Google’s Play Store, suggested a new blog post by Fox-IT, part of the NCC Group.

    The new version of SharkBot reportedly targets the banking credentials of Android users via apps that have collectively counted 60,000 installations.

    These apps, which have now been removed by the Play Store, are ‘Mister Phone Cleaner’ and ‘Kylhavy Mobile Security’.

    “This new dropper doesn’t rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware,” warned the Fox-IT researchers.

    “Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.”

    And while the method makes it more difficult for the malware to get installed (as it depends on the user interaction), it is now more challenging to detect before being published in Google Play Store since it doesn’t require accessibility permissions, which are often suspicious.

    Further, the dropper has also removed the ‘Direct Reply’ feature, which is used on Android to reply to the notifications received on the infected device automatically. This is another feature that needs suspicious permissions and which, once removed, makes the malware more difficult to detect.

    Both features were already present in Sharkbot V2, which was discovered by ThreatFabric in May. However, the malware seemed to have now been updated even further.

    “On the 16th of August 2022, Fox IT’s Threat Intelligence team observed new command-and-control servers (C2s) that were providing a list of targets including banks outside of the United Kingdom and Italy,” the team said.

    For context, the new targeted countries in those C2s were Spain, Australia, Poland, Germany, US and Austria.

    In addition to targeting new countries, the novel version of SharkBot spotted by Fox-IT (2.25) featured an additional capability to steal session cookies from the victims that logged into their bank accounts.

    “With all these changes and new features, we are expecting to see more campaigns, targeted applications, targeted countries and changes in Sharkbot this year,” concluded the Fox-IT post.

    The advisory comes days after Google unveiled a new program created to reward researchers that find bugs in its open source projects.