The Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. This new dropper does not rely on Accessibility permissions to automatically install the dropper Sharkbot malware. This new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.
See: https://redskyalliance.org/xindustry/don-t-get-bitten-by-sharkbot
The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria.
- Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads)
- Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads)
The droppers are designed to drop a new version of SharkBot, dubbed V2 by Dutch security firm ThreatFabric, which features an updated command-and-control (C2) communication mechanism, a domain generation algorithm (DGA), and a fully refactored codebase. Researchers discovered a newer version, 2.25, on 22 August 2022, that introduces a function to siphon cookies when victims log in to their bank accounts while removing the ability to automatically reply to incoming messages with links to the malware for propagation.
By avoiding the Accessibility permissions for installing SharkBot, the development highlights that the operators are actively tweaking their techniques to avoid detection, not to mention find alternative methods in the face of Google's newly imposed restrictions to curtail the abuse of the APIs.
Additional notable information stealing capabilities include injecting fake overlays to harvest bank account credentials, logging keystrokes, intercepting SMS messages, and carrying out fraudulent fund transfers using the Automated Transfer System (ATS). Sharkbot malware poses an evolving and universal threat. Despite continued efforts by Apple and Google, app stores are vulnerable to unknowingly being abused for distribution, with the developers trying every trick in the book to dodge security checks. SharkBot's developers seem to have been focusing on the dropper to keep using Google Play Store to distribute their malware in the latest campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments