Encryption app targeting SharkBot malware resurfaces on Google App Store


A newly updated version of a malware-targeting banking and crypto app has recently resurfaced on the Google Play Store, now with the ability to steal cookies from account logins and bypass fingerprint or password requirements. ‘authentication.

A warning about the new version of the malware was shared Friday by malware analyst Alberto Segura and treatment intelligence analyst Mike Stokkel on Twitter accounts, sharing their co-authored post on the Fox IT blog.

According to Segura, the new version of the malware was discovered on August 22 and can “perform overlay attacks, steal data via keylogging, intercept SMS messages, or give hackers complete remote control of the host device by abusing accessibility services”.

The new version of the malware was found in two Android apps, Mister Phone Cleaner and Kylhavy Mobile Security, which have since racked up 50,000 and 10,000 downloads respectively.

Both apps were initially able to make it to the Play Store because Google’s automated code review found no malicious code, although it has since been removed from the store.

Some observers suggest that users who installed the apps may still be at risk and should remove the apps manually.

An in-depth analysis by Italian security firm Cleafy revealed that 22 targets had been identified by SharkBot, which included five cryptocurrency exchanges and a number of international banks in the US, UK and Italy.

As for how the malware attacked, the earlier version of the SharkBot malware “relyed on accessibility permissions to automatically install the SharkBot dropper malware.”

But, this new version is different in that it “asks the victim to install the malware as a fake update to keep the antivirus safe from threats.”

Once installed, if a victim logs into their bank or crypto account, SharkBot is able to retrieve their valid session cookie via the “logsCookie” command, which essentially bypasses any fingerprinting or authentication methods used. .

The first version of the SharkBot malware was first discovered by Cleafy in October 2021.

Related: Sneaky fake Google Translate app installs crypto-miner on 112,000 PCs

According to Cleafy’s first analysis of SharkBot, SharkBot’s primary objective was “to initiate money transfers from compromised devices via the Automated Transfer Systems (ATS) technique by bypassing multi-factor authentication mechanisms” .


Comments are closed.