NCC Group’s Fox-IT reported that the dangerous Android banking malware SharkBot has appeared on Google Play Store yet again. The warning about malware presence on Google Play Store was shared on Friday, September 2nd by threat intelligence analysts Alberto Segura and Mike Stokkel. The duo also co-authored Fox-IT’s report on the new development.
Malware Disguised in Play Store Apps
The malware is disguised as antivirus and cleaner applications. Unlike its previous instalments, the new dropper doesn’t just rely on Accessibility permissions to install the malware automatically. Instead, it compels the victims to install a fake update for their antivirus to prevent malware threats. This update contains the SharkBot banking trojan.
The apps in which the malware is hidden are Kylhavy Mobile Security and Mister Phone Cleaner. The two apps collectively boast 60,000 installations. According to the researchers’ blog post, these have been designed to target users in the following countries:
- USA
- Spain
- Poland
- Austria
- Germany
- Australia
Dropper Analysis
According to ThreatFabric security firm, a new version of SharkBot trojan is dropped in this campaign, dubbed V2. It features an updated C2 communication method, a refactored codebase, and a domain generation algorithm/DGA.
After it is installed on the device, it snatches the victim’s valid session cookie using the command LogsCookie whenever they log into their crypto or bank account. This helps the malware bypass authentication and fingerprinting methods to steal funds.
“Until now, SharkBot’s developers seem to have been focusing on the dropper in order to keep using Google Play Store to distribute their malware in the latest campaigns,” Segura and Stokkel noted.
Italian security firm Cleafy reported that 22 targets of SharkBot have been identified so far, including five cryptocurrency exchanges and several international banks in the UK, USA, and Italy. Cleafy discovered the first version of SharkBot in October 2021.
Malware Functionalities
Fox-IT stated that the new version of SharkBot (v. 2.25) was discovered on 22 August 2022. It boasts plenty of new functionalities, including the capability of stealing cookies when the victim logins into their bank accounts. It can also alter automatic replies to incoming messages with links containing malware.
Since it no longer requires eschewing Accessibility permissions to install the malware, it indicates scammers are continuously improving their attack tactics to prevent detection. They have also discovered ways to bypass Google’s new security restrictions and can successfully curtail APIs abuse. Furthermore, SharkBot’s unique stealing mechanisms include:
- Logging keystrokes.
- Intercepting SMS messages.
- Injecting fake overlays to obtain banking credentials.
- Conducting fraudulent fund transfers through the Automated Transfer System.
Researchers stated that users who have installed these apps could be at risk. Hence, they must immediately, manually remove them from their devices.
SharkBot and Play Store
This is not the first time the SharkBot malware has been found on Google Play Store. In fact, the malware has been on the marketplace since earlier 2022. In March, for instance, Hackread.com reported the presence of SharkBot in several fake anti-virus apps. The malicious apps had almost 60,000 downloads.
Protection Against Malicious Apps
With more than two billion active Android devices, it is no wonder that the Google Play Store is a target for malware developers.
However, at the same time, it is one of the most secure platforms for downloading Android apps. So how can you protect your phone from all of the bad stuff? Here are a few tips:
- First, make sure you’re running the latest version of Android. Google is constantly working to improve security on the platform, so newer versions of Android are less vulnerable to attack.
- Next, look at the app permissions before installing anything from the Play Store. If an app asks for more permissions than it needs, that’s a red flag that it might be up to no good.
- Install a reputable security app from the Play Store. This will add an extra layer of protection to your device, catching any malware that slips through the cracks.
- Only download apps from trusted sources. This means avoiding third-party app stores and websites – Stick to the Google Play Store.
- Finally, check reviews before downloading an app. If an app has a lot of negative reviews, it’s probably not worth your time. (Read how fake reviews cause 50% of threats against Android).
