The infamous Android banking Trojan known as SharkBot has once again appeared on the Google Play Store masquerading as antivirus and cleaning apps.
“This new dropper does not rely on Accessibility permissions to automatically perform the dropper’s Sharkbot malware installation,” NCC Group’s Fox-IT said in a report. “Instead, this new version asks victims to install malware as a fake update so that the antivirus is always protected against threats.”
The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installs between them and are designed to target users in Spain, Australia, Poland, Germany, USA and Austria –
- Mister Phone Cleaner (com.mbkristine8.cleanmaster, over 50,000 downloads)
- Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads)
The dropper is designed to drop the new version of SharkBot, known as V2 by Dutch security company ThreatFabric, featuring an updated command-and-control (C2) communication mechanism, a domain generation algorithm (DGA), and a completely restructured codebase.
Fox-IT says it discovered the newer version 2.25 on August 22, 2022, which introduces cookie-sucking functionality when victims log in to their bank accounts, while also removing the ability to automate reply to incoming mail with a link to the malware to be distributed.
By bypassing Accessibility permissions to install SharkBot, the development emphasizes that operators are actively tweaking their techniques to avoid detection, not to mention finding alternative methods in the face of Google’s newly-imposed restrictions aimed at curbing API abuse.
Other notable information-stealing capabilities include inserting fake overlays to collect bank account credentials, logging keystrokes, intercepting SMS messages, and performing fraudulent money transfers using Automated Money Transfer System (ATS).
It’s no surprise that malware is a growing and ubiquitous threat, and despite Apple and Google’s continued efforts, app stores are still vulnerable to segmentation. accidentally distributed, with the developers of this app trying every trick in the book to evade Czech security.
“So far, the developers of SharkBot seem to have focused on the dropper to continue using the Google Play Store to distribute their malware in the future,” said researchers Alberto Segura and Mike Stokkel. latest campaigns”.