SharkBot Steals Banking Info

Danger Lurks on Google Play Store

Millions of Android users trek through the Google Play Store daily, after all, it is the most popular App platform where software creators can sell their Apps, and tech savvy individuals can download their favorite applications.

However, the GPS is also where some of the most dangerous Apps controlled by criminal hackers reside. Recently, thousands of banking logins were the center of the latest hacking scam.

Financial institutions have been the new target of the improved version of the malicious SharkBot. The virus had been previously kicked off the GPS platform but has now returned with a bloodthirsty vengeance. On the Google Play Store platform, there are two Android Apps that had passed Google’s automatic review, because when submitted they contained no dangerous code.

However, those Apps after being analyzed by cyber security researchers, show that they were loaded with the hackers’ dangerous malware SharkBot. The ingenious owner of the malware modified the harmful App to unleash its payload during an update. So, SharkBot is activated after the user downloads the App; it then runs its dropper programs during updates.

The new installment of the SharkBot shows that it comprises two fraudulent apps; “Mister Phone Cleaner” and “Kylhavy Mobile Security”. Fox IT which is a part of the NCC Group reported that both viruses have a combined 60,000 downloads that are currently installed on Android devices.

Dangerous SharkBot Re-surfaced

Google Play has already withdrawn the two malicious programs, however, the download is still active on thousands of tech gadgets. So far, individuals have been warned about the risk and advised to manually uninstall both malicious Apps immediately.

A fraud management team located in Italy, spotted SharkBot when it first surfaced in October 2021. After being relegated from the GPS platform, the malware researchers at the NCC Group discovered the re-invigorated version on Google Play in March 2022.

Cyber analysts researching the older version of SharkBot stated that the malware was coded to perform overlay attacks. And at that time its capabilities include data theft by keylogging, and also SMS message interception. In addition, it has complete remote control of the device it infected, thus threat actors were noticed abusing Android’s Accessibility Services.

New SharkBot Versions

Further, SharkBot 2 surfaced about May 2022, according to the ThreatFabric research team. With more advanced capabilities, this newer version of SharkBot possessed a domain generation algorithm (DGA), which gives it an improved communication protocol, as well as a completely refactored code.

Recently researchers at Fox IT revealed that another version of the virus (2.25) was discovered on August 22. This, much later version, which seems to be the most powerful has the unique capability to collect cookies from bank account logins.

Additionally, unlike the past installations, the new dropper Apps don’t take advantage of the accessibility services. On the other hand, this newer virus installs its payload with the dropper automatically clicking all the available UI buttons, thus, abusing the accessibility permissions.

With this updated Sharkbot dropper, the Fox IT team revealed that the dropper seeks direct permission from the C2 server to accept the Sharkbot APK file. This is because no download link with instructions is available for installing the malware by “Automatic Transfer”.

Leave a Reply

Your email address will not be published.