SharkBot malicious software, which targets Android users’ banking logins through apps with tens of thousands of installations, has made a comeback in the Google Play Store.

Two Android apps that were submitted to Google’s automatic review did not contain any dangerous code but nevertheless contained malware.

SharkBot malicious software, however, is only included in an update that happens after the user downloads and runs the dropper programmes.

The two fraudulent apps are “Mister Phone Cleaner” and “Kylhavy Mobile Security,” which have a combined 60,000 installations, according to a blog post by Fox IT, a division of the NCC Group.

The two applications dropping SharkBot
The two applications dropping SharkBot (Fox IT)

Although Google Play has withdrawn the two programmes, anyone who downloaded them is still at risk and needs to manually uninstall them.

SharkBot evolved

SharkBot was found in October 2021 by malware researchers at the Italian online fraud management and prevention firm Cleafy. NCC Group discovered the first apps using it on Google Play in March 2022.

The malware at that time was capable of overlay attacks, data theft by keylogging, SMS message interception, and complete remote control of the host device for threat actors by abusing the Accessibility Services.

 SharkBot 2 was discovered in May 2022 by ThreatFabric researchers. This version of SharkBot had a domain generation algorithm (DGA), an improved communication protocol, and completely refactored code.

On August 22, malware researchers at Fox IT found a new version of the infection (2.25) that adds the ability to harvest cookies from bank account logins.

Additionally, unlike in the past, the new dropper apps don’t take advantage of the accessibility services.

The dropper was able to automatically click all of the UI buttons to install Sharkbot by abusing the accessibility permissions. However, this is not the case with this updated Sharkbot dropper. Fox IT

“Instead, the dropper will ask the C2 server for permission to directly accept the Sharkbot APK file. It won’t get a download link along with instructions for installing the malware via the ATS features, as it usually does, according to Fox IT.

Encrypted POST request for downloading SharkBot (Fox IT)
Encrypted POST request for downloading SharkBot (Fox IT)

After being installed, the dropper app makes a request for the malicious SharkBot APK file from the command and control (C2) server. After informing the user that an update is ready, the dropper requests that they install the APK and grant the necessary rights.

SharkBot maintains its hard-coded configuration in encrypted form using the RC4 method to make automatic detection more challenging.

Cookie-loving shark

SharkBot 2.25 still contains the overlay, SMS intercept, remote control, and keylogging systems, but a cookie logger has been added on top of these.

New function to steal cookies (Fox IT)
New function to steal cookies (Fox IT)

SharkBot uses a new command (“logsCookie”) to capture the victim’s legitimate session cookie when they connect to their bank account and send it to the C2.

Because they contain software and geographical parameters that make it easier to go beyond fingerprinting checks and, in some situations, the user authentication token itself, cookies are useful for gaining access to accounts.

Fox IT’s detected fresh SharkBot campaigns throughout Europe (Spain, Austria, Germany, Poland, Austria) and the United States while conducting their study. Researchers discovered that the malware directly collects critical information from the official app it targets using the keylogging capability in these assaults.

Fox IT anticipates that SharkBot efforts will continue and that the malware will evolve now that a better version of it is accessible.