After months of hiding after being removed from the popular mobile app marketplace, Google Play, the SharkBot malware returns with an upgraded version to target Android users and steal their banking login credentials through malware-infected applications available on the app store.
Reports revealed that two of the detected SharkBot-infected applications had initially passed Google’s automatic review since they showed no sign of malicious code. These two apps are ‘Mister Phone Cleaner’ and ‘Kylhavy Mobile Security,’ which have over 60,000 installations from Android users worldwide.
The SharkBot malware is added through an update after users install and launch the apps on their mobile devices.
Since thousands of users have already installed the malware-infected apps on their phones, they remain at risk of potential compromises despite the two apps already removed from Google’s Play Store.
The first Android apps that carried the SharkBot malware were detected in March 2022 after its initial discovery last October 2021. The malware was equipped with sophisticated features, including overlay attacks, keylogging, intercepting text messages, and giving the hackers complete control from their remote server.
The apps that first carried SharkBot were removed; however, the second version of the malware was found in May 2022, now capable of domain generation algorithm (DGA), a fully enhanced code, and an upgraded communication protocol.
With its most recent version, v2.25, spotted last August 22, the SharkBot malware is now armed with a new feature of stealing cookies from users’ banking accounts to collect their login credentials. The malware operators also dismissed abusing the Accessibility Services feature for the new version, instead opting for the malware dropper requesting the remote C2 server to receive SharkBot’s APK file directly.
Subsequently, the dropper will push a notification to the victim’s device, informing them about an ‘app update’ they need to finish through the APK file sent by the hackers from their remote server. The update will also request the victim to grant all app permissions, allowing it to conduct its malicious procedures within the compromised device without trouble.
Security researchers predict that the SharkBot malware will continue its cyberattacks, especially with how it has evolved since its last version. Android users are advised to stay cautious about the apps they install on their phones to avoid being victimised.
