The SharkBot malware was first discovered last October and has continued to exist with new ways to break into banking apps and cryptocurrencies on Android.
A newly upgraded version of a malware-targeted banking and cryptocurrency app recently reappeared on the Google Play store, now capable of stealing cookies from account credentials and bypassing fingerprint or authentication requirements.
A warning about the new version of the malware was shared by malware analyst Alberto Segura and intelligence analyst Mike Stokkel on their Twitter account on September 2:
We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! Great work @Mike_stokkel! https://t.co/uXt7qgcCXb
— Alberto Segura (@alberto__segura) September 2, 2022
According to Segura, the new version of the malware was discovered on August 22 and can carry out attacks, steal data through keylogging, intercept SMS messages or give threat actors complete remote control of the host device by abusing the Support Service.
The new malware version was found in two Android apps – “Mister Phone Cleaner” and “Kylhavy Mobile Security with more than 50,000 and 10,000 downloads.
The two apps may initially appear on the Play Store because Google’s automated code review didn’t detect any malicious code, though it was later removed from the store.
Some observers think that users who have installed the app may still be at risk and should delete the app manually.
An in-depth analysis by Italy-based security firm Cleafy found that 22 targets were identified by SharkBot, including five cryptocurrency exchanges and several international banks in the United States, the United Kingdom, and Italy.
As for the malware attack method, an earlier version of Sharkbot malware relied on accessibility permissions to automatically perform malware installations.
But this new version differs in that it requires victims to install software as a fake update.
Once installed, if the victim logs into their bank account or cryptocurrency, SharkBot can retrieve their valid cookie through the “logsCookie” command, essentially bypassing any authentication or fingerprinting methods.
This is interesting!
Sharkbot Android malware is cancelling the "Log in with your fingerprint" dialogs so that users are forced to enter the username and password
(according to @foxit blog post) pic.twitter.com/fmEfM5h8Gu
— Łukasz (@maldr0id) September 3, 2022
The first version of SharkBot malware was first detected by Cleafy in October 2021.
According to Cleafy’s first analysis of SharkBot, SharkBot’s main goal is to transfer funds from compromised devices through the Automated Money Transfer System (ATS) technique and bypass the multi-factor authentication mechanism.