60K Downloads for now-removed apps that prey on victims in the US and Australia. To find their new victims, the owners of the banking Trojan SharkBot have turned to Google Play. On now-deactivated programmes with tens of thousands of installations, they are spreading an upgraded version of the malware.

According to company Fox-IT, the malware apps, Mister Phone Cleaner, and Kylhavy Mobile Security, were downloaded 50,000 and 10,000 times. According to the business, the malware mostly targets people in Spain, Australia, Poland, Germany, the United States, and Austria.

When the operators used sideloading and social engineering tactics to target banking and cryptocurrency users in the UK, Italy, and the US. In October 2021, cybersecurity researchers at Cleafy discovered the Trojan. They obtained accessibility permissions to install the dropper automatically at the moment and duped users into downloading apps. These apps posed as media players, live TV, and data recovery software, and started money transfers from the compromised devices.

The SharkBot no longer uses these techniques. The organization claims that the new infection uses the aforementioned cleaning and security apps to trick victims into installing the malware. They guise updating their devices’ antivirus security. SharkBot no longer targets victims in the UK or Italy.

The Issues

A banking Trojan typically gathers user credentials and sensitive financial and personal information from a device to exploit in phishing. The most recent iteration of SharkBot takes victims’ session cookies, which contain information from when users connect to their bank accounts.

The upgraded virus recognizes the action of a victim launching a banking application and performing an additional injection or an overlay attack to steal credentials. While opening a banking application, it displays a phishing website to the victims in web view while capturing their login information for the false website.

The upgraded malware now includes a keylogging function that enables it to record every accessibility event an infected device produces. The Fox-IT researchers explain that “it may log events like button clicks, changes in TextFields, and sent them to the command-and-control center”. The malware has the ability to remotely manage some accessibility actions on the target devices and intercept SMS.

According to malware analysts, criminals can get beyond security measures and conduct financial transactions using the victims’ devices. He continues that No “major alterations” had been made to the malware prior to the most recent version 2.25.