Experts have spotted an upgraded version of SharkBot malware which has been uploaded on the official Google Play Store.
Fox IT researchers have spotted an upgraded version of a SharkBot dropper that has been uploaded to the official Google Play Store.
While previous variants of the dropper relied on accessibility permissions to automatically install Sharkbot malware, this new one asks the victim to install the malware as a fake antivirus update.
Researchers found two SharkbotDopper apps in Google Play Store, “Mister Phone Cleaner” and “Kylhavy Mobile Security”, with 10,000 and 50,000 installs respectively.
SharkBot is a banking trojan that has been active since October 2021, stealing bank account credentials and bypassing multi-factor authentication mechanisms.
The malware was spotted in late October by researchers from cybersecurity firms Cleafy and ThreatFabric, the name comes from one of the domains used for its command and control servers.
The malware has been observed targeting mobile banking users in Italy, the United Kingdom and the United States. The Trojan can hijack users’ mobile devices and steal funds from online banking and cryptocurrency accounts.
SharkBot is capable of performing unauthorized transactions through Automatic Transfer Systems (ATS), an advanced attack technique not commonly found in Android malware.
ATS allows attackers to automatically populate fields in legitimate mobile banking apps and initiate money transfers without the intervention of a live operator to authorize transactions. The researchers pointed out that this technique allows the malware to receive a list of events to simulate, allowing attackers to automate and scale up their operations.
On August 16, 2022, Fox-IT researchers observed new C2 servers providing a list of targets including banks in Spain, Australia, Poland, Germany, United States of America, and Austria.
Both apps have been removed from Google Play, but users who installed them are still at risk and should remove them manually.
“On August 22, 2022, Fox-IT’s Threat Intelligence team found a new Sharkbot sample with the version 2.25; communicate with the command and control servers mentioned earlier. This version of Sharkbot introduced a new feature to steal session cookies from victims who log into their bank account. reads the message posted by Fox IT.
The new version of Sharkbot dropper exploits user interaction to get installed, experts pointed out that it is now harder to detect before being released on Google Play Store, as it does not need accessibility permissions that are often used by malicious code.
The new version of the dropper also removed the “Direct Reply” feature, which is a feature that automatically responds to notifications received on the infected device.
“The dropper will instead make a request to the C2 server to directly receive the Sharkbot APK file. He will not receive a download link along with the steps to install the malware using the “Automatic Transfer Systems” (ATS) features, which he normally did. Fox IT continues.
When installing the dropper, it contacts the C2 server requesting the SharkBot APK file. The rogue app then warns users to install the APK, which is offered as a necessary update, and grant all required permissions.
The SharkBot 2.25 includes a cookie logger, when the victim logs into their bank account, the malware captures a valid session cookie using a new command (“logsCookie”) and sends it to C2.
“This new feature allows Sharkbot to receive a URL and a User-Agent value – using a new ‘logsCookie’ command – these will be used to open a WebView loading this URL – using the received User-Agent as in -header – as we can see in the following images of the code.” the report continues, “Once the victim logs into their bank account, the malware will receive the PageFinish event and will get the website cookies loaded inside the malicious WebView, eventually sending them to C2.
Researchers have pointed out that the developers behind this threat have worked hard to enhance its capabilities and evade detection.
Fox IT researchers believe we will see more campaigns and that malware will continue to evolve.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, SharkBot)