The SharkBot malware family was discovered in October last year and has since evolved with new ways to hack users into Android-based crypto and banking apps. In addition, a freshly improved version of the malware’s banking and cryptographic software just hit the Google Play market, now with the ability to collect account login cookies and bypass biometric or authentication restrictions.
On Friday, malware analyst Alberto Segura and treatment information analyst Mike Stokkel warned of the latest version of the virus on their Twitter accounts, along with a link to an article they co-authored on the Fox IT blog.
The latest version of the virus, found on August 22, can “perform overlay attacks, steal data through keylogging, intercept SMS messages, or offer threat actors complete remote control over a host device using accessibility services,” according to Segura.
The new malware variant was discovered in two Android apps, Mister Phone Cleaner and Kylhavy Mobile Security, which had 50,000 and 10,000 downloads, respectively. The two apps were initially accepted into the Play Store because Google’s automated code review found no malicious code, but were subsequently pulled. However, some commentators believe that customers who have installed the apps are still vulnerable and should uninstall them manually.
An in-depth investigation by Italian security firm Cleafy found that SharkBot identified 22 targets, including five cryptocurrency exchanges and a number of multinational banks in the United States, United Kingdom and Italy. Regarding the malware’s attack method, the previous version “relied on accessibility permissions to automatically install the SharkBot dropper malware.”
However, this latest version “asks the user to install the malware as a fake antivirus update to protect against threats.” Once installed, when a victim logs into their bank or cryptocurrency account, SharkBot can steal their valid session cookie using the “logsCookie” command, bypassing any fingerprinting or authentication techniques.
Cleafy discovered the first variant of the SharkBot virus in October 2021. The main purpose of SharkBot, according to Cleafy’s initial investigation, was to “initiate money transfers from infected devices using an Automated Transfer Systems (ATS) approach that avoids multi-factor authentication measures.”
Featured Image: Megapixl @Andriezas