December 6, 2022
SharkBot malware spreads via Google Play to steal your credentials

SharkBot malware backs with a new and upgraded version to Google’s Play Store with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements.

Several months ago it was announced that a Trojan disguised as an antivirus app was spreading via the Google Play Store. The malware appears to have evolved. Now it can steal user login cookies and your credentials.

The malware was present in two Android apps that did not feature any malicious code when submitted to Google’s automatic review.

However, the Google Play store could not detect SharkBot malware because it is added in an update occurring after the user installs and launches the dropper apps.

The new version of the malware was discovered on Aug. 22, and can “perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services.”

The malware was found in two Android apps — “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have 50,000 and 10,000 downloads respectively.

Google has removed these two applications from Google Play, but users who installed them are still at risk and they have to remove the application manually.

An in-depth analysis by Italian-based security firm Cleafy found that 22 targets had been identified by SharkBot, which included five cryptocurrency exchanges and several international banks in the U.S., U.K., and Italy.

For some time now, SharkBot has been able to manipulate Android’s accessibility features to perform arbitrary actions on the target device. Now the Trojan has been enhanced with a cookie-stealing feature. As soon as the smartphone owner logs into their bank account, the session cookie is tapped and sent to a command and control server (C2).

According to Cleafy’s first analysis of SharkBot, the main goal of SharkBot was “to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms.”

So if you have installed “Mister Phone Cleaner” and “Kylhavy Mobile Security” these two Android apps removed them immediately from your phone otherwise your bank balance will be zero.

SharkBot malware backs with a new and upgraded version to Google’s Play Store with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements.

Several months ago it was announced that a Trojan disguised as an antivirus app was spreading via the Google Play Store. The malware appears to have evolved. Now it can steal user login cookies and your credentials.

The malware was present in two Android apps that did not feature any malicious code when submitted to Google’s automatic review.

However, the Google Play store could not detect SharkBot malware because it is added in an update occurring after the user installs and launches the dropper apps.

The new version of the malware was discovered on Aug. 22, and can “perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services.”

The malware was found in two Android apps — “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have 50,000 and 10,000 downloads respectively.

Google has removed these two applications from Google Play, but users who installed them are still at risk and they have to remove the application manually.

An in-depth analysis by Italian-based security firm Cleafy found that 22 targets had been identified by SharkBot, which included five cryptocurrency exchanges and several international banks in the U.S., U.K., and Italy.

For some time now, SharkBot has been able to manipulate Android’s accessibility features to perform arbitrary actions on the target device. Now the Trojan has been enhanced with a cookie-stealing feature. As soon as the smartphone owner logs into their bank account, the session cookie is tapped and sent to a command and control server (C2).

According to Cleafy’s first analysis of SharkBot, the main goal of SharkBot was “to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms.”

So if you have installed “Mister Phone Cleaner” and “Kylhavy Mobile Security” these two Android apps removed them immediately from your phone otherwise your bank balance will be zero.

Leave a Reply

Your email address will not be published. Required fields are marked *