A new and upgraded version of the SharkBot malware has returned to Google's Play Store, targeting banking logins of Android users through apps that have tens of thousands of installations.
The malware was present in two Android apps that did not feature any malicious code when submitted to Google's automatic review.
However, SharkBot is added in an update occurring after the user installs and launches the dropper apps.
According to a blog post by Fox IT, part of the NCC Group, the two malicious apps are “Mister Phone Cleaner” and “Kylhavy Mobile Security,” collectively counting 60,000 installations.
The two applications dropping SharkBot (Fox IT)
The two applications have been removed from Google Play, but users who installed them are still at risk and should remove them manually.
SharkBot evolved
Malware analysts at Cleafy, an Italian online fraud management and prevention company, discovered SharkBot in October 2021. In March 2022, NCC Group found the first apps carrying it on the Google Play.
At that time, the malware could perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services.
In May 2022, researchers at ThreatFabric spotted SharkBot 2 that came with a domain generation algorithm (DGA), an updated communication protocol, and a fully refactored code.
Researchers at Fox IT discovered a new version of the malware (2.25) on August 22, which adds the capability to steal cookies from bank account logins.
Additionally, the new dropper apps don’t abuse the Accessibility Services as they did before.
“Abu ..
Support the originator by clicking the read the rest link below.
