Crypto app targeting SharkBot malware resurfaces on Google app store

Published at: Sept. 5, 2022

A newly upgraded version of a banking and crypto app targeting malware has recently resurfaced on the Google Play store, now with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements.

A warning about the new version of the malware was shared by malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel on Twitter accounts on Sept. 2, sharing their co-authored article on Fox IT’s blog.

We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! Great work @Mike_stokkel! https://t.co/uXt7qgcCXb

— Alberto Segura (@alberto__segura) September 2, 2022

According to Segura, the new version of the malware was discovered on Aug. 22, and can “perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services.”

The new malware version was found in two Android apps — “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have since amassed 50,000 and 10,000 downloads respectively.

The two apps were able to initially make it to the Play Store as Google’s automated code review did not detect any malicious code. However, it has since been removed from the store.

However, the 60,000 users who installed the apps may still be at risk and should remove the apps manually, observers have suggested. 

An in-depth analysis by Italian-based security firm Leafy found that 22 targets had been identified by SharkBot, which included five cryptocurrency exchanges and a number of international banks in the US, UK, and Italy.

As for the malware’s mode of attack, the earlier version of the SharkBot malware “relied on accessibility permissions to automatically perform the installation of the dropper SharkBot malware.”

But this new version is different in that it “asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.”

If installed, once the victim logs into their bank or crypto account, SharkBot is able to snatch their valid session cookie via the command “logsCookie”, which essentially bypasses any fingerprinting or authentication methods used.

This is interesting!Sharkbot Android malware is cancelling the "Log in with your fingerprint" dialogs so that users are forced to enter the username and password(according to @foxit blog post) pic.twitter.com/fmEfM5h8Gu

— Łukasz (@maldr0id) September 3, 2022

Related: Sneaky fake Google Translate app installs crypto miner on 112,000 PCs

The first version of the SharkBot malware was first discovered by Cleafy in Oct. 2021.

According to Cleafy’s first analysis on SharkBot, the main goal of SharkBot was “to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms.”

Tags
Related Posts
Malware Shellbot is Now Capable of Shutting Down Other Miners
The Shellbot cryptojacking malware has gone through an update and come out with some new capabilities, technology news website TechCrunch reported on May 1. Per the report, these findings come from Boston-based cybersecurity firm Threat Stack. The company claims that Shellbot, which was first discovered in 2005, has received a major update. The original Shellbot was capable of brute-forcing the credentials of SSH remote access services on Linux servers protected by weak passwords. The malware then mines privacy-focused monero (XMR). Threat Stack claims that this new-and-improved version is capable of spreading through an infected network and shutting down other miners …
Blockchain / May 1, 2019
DeFi attacks are on the rise — Will the industry be able to stem the tide?
The decentralized finance (DeFi) industry has lost over a billion dollars to hackers in the past couple of months, and the situation seems to be spiraling out of control. According to the latest statistics, approximately $1.6 billion in cryptocurrencies was stolen from DeFi platforms in the first quarter of 2022. Furthermore, over 90% of all pilfered crypto is from hacked DeFi protocols. These figures highlight a dire situation that is likely to persist over the long term if ignored. Why hackers prefer DeFi platforms In recent years, hackers have ramped up operations targeting DeFi systems. One primary reason as to …
Adoption / May 14, 2022
5 sneaky tricks crypto phishing scammers used last year: SlowMist
Blockchain security firm SlowMist has highlighted five common phishing techniques crypto scammers used on victims in 2022, including malicious browser bookmarks, phony sales orders and trojan malware spread on messaging app Discord. It comes after the security firm recorded a total of 303 blockchain security incidents in the year, with 31.6% of these incidents caused by phishing, rug pull or other scams, according to a Jan. 9 SlowMist blockchain security report. Malicious browser bookmarks One of the phishing strategies makes use of bookmark managers, a feature in most modern browsers. SlowMist said scammers have been exploiting these to ultimately gain …
Blockchain / Jan. 10, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023
Cross-chains in the crosshairs: Hacks call for better defense mechanisms
2022 has been a lucrative year for hackers preying on the nascent Web3 and decentralized finance (DeFi) spaces, with more than $2 billion worth of cryptocurrency fleeced in several high-profile hacks to date. Cross-chain protocols have been particularly hard hit, with Axie Infinity’s $650 million Ronin Bridge hack accounting for a significant portion of stolen funds this year. The pillaging continued into the second half of 2022 as cross-chain platform Nomad saw $190 million drained from wallets. The Solana ecosystem was the next target, with hackers gaining access to private keys of some 8000 wallets that resulted in $5 million …
Blockchain / Aug. 11, 2022