Linchakin

Dangerous SharkBot Malware Back on Google Play as Fake Antivirus Apps

 September 06, 2022     No comments   

Malware Back on Google Play

Fox IT has observed an upgraded version of the SharkBot malware active in the Google Play and dropping a new version of Sharkbot. This new dropper requests the user to install the malware as a fake update for the antivirus to stay protected against threats.

Researchers identified two SharkbotDopper apps such as “Mister Phone Cleaner” and “Kylhavy Mobile Security” active in Google Play Store with nearly 10K and 50K installations respectively. 

The earlier variants of the dropper doesn’t depend on Accessibility permissions to automatically to install the Sharkbot malware, instead the new versions asks the victim to install the malware.

Upgraded Version of the SharkBot Malware

EHA

The malware is active since October 2021, SharkBot is a banking Trojan, that allows stealing banking account credentials and bypass multi-factor authentication mechanisms.

Experts at Cleafy, an Italian online fraud management and prevention company, found SharkBot in October 2021 and in March 2022, NCC Group found the first apps carrying it on the Google Play.

Researchers at ThreatFabric noticed SharkBot 2 that came with a domain generation algorithm (DGA), an updated communication protocol, and a fully refactored code. On the 22nd of August 2022, Fox-IT’s Threat Intelligence team found a new Sharkbot sample with version 2.25; communicating with command-and-control servers. This version brings in a new feature to steal session cookies from the victims that logs into their bank account.

#SharkBot hits the shores with a new Variant!

Welcome SharkBot 2, with its latest version 2.8, with fully refactored code.
It features:
– No more Notification AutoReply,
– #DGA supporting more domain extensions
– Updated communication protocol still based on RC4+RSA encryption pic.twitter.com/CO3JZCSSVO

— ThreatFabric (@ThreatFabric) May 12, 2022

According to the blog post from Fox IT, “Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this not the case in this new version of the dropper for Sharkbot.”

In this case, the dropper will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did, say the Fox IT team.

Encrypted POST request for downloading SharkBot (Fox IT)

The dropper the POST request body with a JSON object containing information about the infection and body of the request is encrypted using RC4 and a hard coded key. Now the dropper will request the user to install this APK as an update for the fake antivirus. 

“To make detection of the dropper by Google’s review team even harder, the malware contains a basic configuration hard coded and encrypted using RC4”, Fox IT.

In SharkBot 2.25, the overlay, SMS intercept, remote control, and keylogging systems are still present but a cookie logger feature has been added on top of them. This new feature allows Sharkbot to receive an URL and a User-Agent value – using a new command ‘logsCookie’, these will be used to open a WebView loading this URL – using the received User-Agent as header.

Function to Steal Cookies (Fox IT)

Therefore, researchers say the list of targeted countries has developed including Spain, Australia, Poland, Germany, United States of America and Austria. Particularly, the new targeted applications are not targeted using the typical webinjections, but they are targeted using the keylogging – grabber – features.

Secure Azure AD Conditional Access – Download Free White Paper

Adblock test (Why?)


You may be interested in:
>> Is a Chromebook worth replacing a Windows laptop?
>> Find out in detail the outstanding features of Google Pixel 4a
>> Top 7 best earbuds you should not miss

Related Posts:
>> Recognizing 12 Basic Body Shapes To Choose Better Clothes
>>Ranking the 10 most used smart technology devices
>> Top 5+ Best E-readers: Compact & Convenient Pen
  • Share This:  
  •  Facebook
  •  Twitter
  •  Google+
  •  Stumble
  •  Digg
Email ThisBlogThis!Share to XShare to Facebook

Related Posts:

  • Tesla’s new Cyberquad sells out immediately, and we have so many questionsByAmelia Bamsey 03 December 2021NewsDo we really need a Tesla quad?The last thing the world needed this December was a Quad bike designed by Tesla for children. Alas, let us introduce you to the Cyberquad – Elon Musk'… Read More
  • The iPhone SE 3 rumours are flying, but we still don't want oneByDaniel Piper 03 December 2021NewsNew phone looks like old news.With its budget price and powerful specs, it's no surprise that the iPhone SE is a hugely popular device. But it isn't given a whole lot of love by Ap… Read More
  • How To Come Up With An Original And Effective Business Name Back in the day, the name of your business was something personal. You would name it after yourself or a loved one or something sentimental. Because… Read More
  • Printing Shellz – New Vulnerabilities That Affects 150 Different Multifunction Printers Printing Shellz, a new set of security vulnerabilities that is affecting approximately 150 HP MFPs (Multifunction Printers). Printing Shellz comprise… Read More
  • 3 Reasons Why Market Research Is Crucial for Entrepreneurs Conducting market research is a great practice to keep up with current market trends while also helping you maintain a competitive advantage. Whethe… Read More
Newer Post Older Post Home

0 Comments:

Post a Comment


Copyright © 2025 Linchakin | Powered by Blogger
Design by Hardeep Asrani | Blogger Theme by NewBloggerThemes.com | Distributed By Gooyaabi Templates