Sharkbot Malware Swims Back To Google Play To Bite New Victims, Delete These Apps Now
SharkBot abuses accessibility permissions in multiple ways to conduct its malicious undertaking. The malware can steal user credentials by logging text entered into login fields. In the case that a user's account is protected by SMS two-factor authentication (2FA), SharkBot can bypass this protection by reading SMS messages to steal authentication codes. The malware is also capable of overlaying fake login screens directly over targeted financial apps. The fake login screens appear legitimate but actually steal entered user credentials. Additionally, threat actors can use SharkBot to remotely control infected devices. All of these capabilities are scary enough, but a new version of SharkBot has entered the wild with the further ability to steal user session cookies.
The researchers found two apps on the Google Play Store that contain this updated malware dropper: Mister Phone Cleaner and Kylhavy Mobile Security. Between them, the two apps have a total of 60,000 downloads. As of the time of writing, Google appears to have removed the Kylhavy Mobile Security app from the Play Store but hasn’t yet delisted Mister Phone Cleaner. Hopefully, Google will remove the latter app shortly, but removing an app from the Play Store won’t remove it from affected users’ devices. Those with these malicious apps already installed on their devices will need to manually remove the apps themselves.