The SharkBot malware family was discovered in October last year and has since evolved with new ways to hack into users’ Android-based crypto and bank apps. In addition, a freshly improved version of malware-targeting banking and crypto software has just emerged on the Google Play market, now with the ability to collect cookies from account logins and circumvent biometric or authentication constraints.
On Friday, malware analyst Alberto Segura and treatment intelligence analyst Mike Stokkel warned about the most recent version of the virus on their Twitter accounts, along with a link to their co-authored piece on the Fox IT blog.
The latest version of the virus, found on August 22, may “conduct overlay attacks, steal data through keylogging, intercept SMS messages, or offer threat actors total remote control of the host device by exploiting the Accessibility Services,” according to Segura.
The new malware variant was discovered in two Android applications, Mister Phone Cleaner and Kylhavy Mobile Security, which had 50,000 and 10,000 downloads, respectively. The two applications were initially accepted onto the Play Store because Google’s automatic code review did not discover any harmful code, but they were subsequently withdrawn. However, some commentators believe that customers who installed the applications are still vulnerable and should uninstall them manually.
An in-depth investigation by the Italian security firm Cleafy discovered that SharkBot had identified 22 targets, including five cryptocurrency exchanges and a number of multinational banks in the United States, the United Kingdom, and Italy. In terms of the malware’s mode of attack, the previous version “relied on accessibility permissions to automatically execute the installation of the dropper SharkBot malware.”
This latest version, however, “asks the user to install the malware as a phony update for the antivirus to keep protected against threats.” Once installed, when a victim enters their bank or cryptocurrency account, SharkBot can steal their valid session cookie with the command “logsCookie,” thereby bypassing any fingerprinting or authentication techniques.
Cleafy detected the first variant of the SharkBot virus in October 2021. SharkBot’s main purpose, according to Cleafy’s first investigation, was “to initiate money transfers from infected devices using Automatic Transfer Systems (ATS) approach evading multi-factor authentication measures.”
Featured Image: Megapixl @Andriezas