Contents:
SharkBot malware is back in Google Play Store where two SharkbotDopper apps were identified. The two malicious apps are “Mister Phone Cleaner” and “Kylhavy Mobile Security,” both having cumulatively over 60,000 installations.
The new version – 2.25 – is targeting banking credentials of Android users and its main update is a new function designed to steal cookies
The two infected apps did not show any suspicious code in the automatic review made by Google. And even though the applications have been excluded from the store, Android users who installed them previously are still in danger and should delete them from their phones.
The Story of SharkBot
First, the malware has been discovered in October 2021 by Cleafy, and in March 2022, NCC Group pointed to the first apps carrying it on Google Play.
The features of SharkBot 1 were:
- could operate overlay attacks
- could extract data through keylogging
- could intercept SMS messages
- could give threat actors complete remote control of the infected device by abusing the Accessibility Services.
SharkBot 2 emerged in May 2022 and was identified by researchers at ThreatFabric and its updates were:
- a domain generation algorithm (DGA)
- an adjusted communication protocol
- a fully refactored code.
On August 22, 2022, Fox IT’s researchers spotted a new and upgraded version (2.25) of the malware which “introduced a new feature to steal session cookies from the victims that logs into their bank account.”.
How the 2.25 Version Works
The new malicious apps don’t abuse the Accessibility Services as before, instead they receive the APK files from the command-and-control (C2) server.
Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install SharkBot. But this is not the case in this new version of the dropper for SharkBot. The dropper instead will make a request to the C2 server to directly receive the APK file of SharkBot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did.
After installing the app, it will contact the C2 server asking for the APK file. Only after this the victim will receive an alert about installing a new update of the app, in fact unknowingly installing the APK and granting all necessary permissions.
Automated detection is passed by the malware using the RC4 algorithm to store its hard-coded configuration in encrypted form.
SharkBot Steals Cookies
“The overlay, SMS intercept, remote control, and keylogging systems are still present on SharkBot 2.25, but a cookie logger has been added on top of them”, according to BleppingComputer.
The malware manages to steal the user’s valid session cookie when the victim is logged into the bank account using a new command (“logsCookie”), and after it sends the data to the C2.
This new version targets cookies because they can be used to take over accounts. Using the software and location details, the malicious actor can avoid the fingerprinting checks or even the user authentication token.
During the investigation, Fox IT’s observed new SharkBot campaigns in Europe (Spain, Austria, Germany, Poland, Austria) and the U.S. The researchers noticed that the malware uses in these attacks the keylogging feature and steals the sensitive info straight from the official app it targets.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.