Users are warned about a newly upgraded version of a banking and crypto app targeting malware that has resurfaced on Google Play Store. It can steal cookies from account logins and bypass fingerprint, or authentication requirements.
Malware analysts Alberto Segura and Mike Stokkel discovered this upgraded malware on August 22 and discussed it in an article on Fox IT’s blog. They discovered a new version of Sharkbot Dropper in the Google Play store used to download and install Sharkbot. Segura and Stokkel said droppers were used in a campaign targeting UK and IT.
The upgraded malware can perform overlay attacks, steal data through keylogging, intercept SMS messages, and even threaten actors complete remote control of the host device by abusing the Accessibility Services. Segura said the malware was found on two Android apps – Mister Phone Cleaner and Kylhavy Mobile Security. It has since amassed 50,000 and 10,000 downloads, respectively. The apps made it to the Play Store because Google’s automated code review did not detect any malicious code, but it has been removed from the store.
The 60,000 users who installed the apps might still be at risk. Experts suggest they should remove the apps manually. Leafy, an Italian-based security firm, found that 22 targets had been identified by SharkBot. It included five cryptocurrency exchanges and a number of international banks in the US, UK and Italy. Experts say the earlier version of the SharkBot malware was dependent on accessibility permissions to automatically do the installation of the dropper SharkBot malware. The new version is different as it asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.
If the victim logs into their bank or crypto account after installing the new malware, SharkBot can snatch their valid session cookie through the command logsCookie. This helps it bypass any fingerprint or authentication methods used.