Crypto app targeting SharkBot malware resurfaces on Google app store

The SharkBot malware family was first discovered last October, and has continued to evolve with new ways to hack into users‘ Android-based crypto and bank apps.

A newly upgraded version of a banking and crypto app targeting malware has recently resurfaced on the Google Play store, now with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements.

A warning about the new version of the malware was shared by malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel on Twitter accounts on Sept. 2, sharing their co-authored article on the Fox IT blog.

We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! Great work @Mike_stokkel! https://t.co/uXt7qgcCXb

— Alberto Segura (@alberto__segura) September 2, 2022

According to Segura, the new version of the malware was discovered on Aug. 22, and can “perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services.”

The new malware version was found in two Android apps — “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have since amassed 50,000 and 10,000 downloads respectively.

The two apps were able to initially make it to the Play Store as Google’s automated code review did not detect any malicious code, though it has since been removed from the store.

Some observers suggest that users who installed the apps may still be at risk and should remove the apps manually.

An in-depth analysis by Italian-based security firm Cleafy found that 22 targets had been identified by SharkBot, which included five cryptocurrency exchanges and a number of international banks in the U.S., U.K., and Italy.

As for the malware’s mode of attack, the earlier version of the SharkBot malware “relied on accessibility permissions to automatically perform the installation of the dropper SharkBot malware.”

But this new version is different in that it “asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.”

Once installed, should a victim log into their bank or crypto account, SharkBot is able to snatch their valid session cookie via the command “logsCookie,” which essentially bypasses any fingerprinting or authentication methods used.

This is interesting!
Sharkbot Android malware is cancelling the „Log in with your fingerprint“ dialogs so that users are forced to enter the username and password
(according to @foxit blog post) pic.twitter.com/fmEfM5h8Gu

— Łukasz (@maldr0id) September 3, 2022

The first version of the SharkBot malware was first discovered by Cleafy in October 2021.

According to Cleafy’s first analysis of SharkBot, the main goal of SharkBot was “to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms.”