Sharkbot Malware Swims Back To Google Play To Bite New Victims, Delete These Apps Now
A nasty bit of Android malware previously lurking on the Google Play Store has returned with additional capabilities. Known as SharkBot, the malware is designed to steal user login credentials, particularly credentials used to access financial applications. The malware has also been found to initiate money transfers directly on compromised devices.
SharkBot abuses accessibility permissions in multiple ways to conduct its malicious undertaking. The malware can steal user credentials by logging text entered into login fields. In the case that a user's account is protected by SMS two-factor authentication (2FA), SharkBot can bypass this protection by reading SMS messages to steal authentication codes. The malware is also capable of overlaying fake login screens directly over targeted financial apps. The fake login screens appear legitimate but actually steal entered user credentials. Additionally, threat actors can use SharkBot to remotely control infected devices. All of these capabilities are scary enough, but a new version of SharkBot has entered the wild with the further ability to steal user session cookies.
SharkBot abuses accessibility permissions in multiple ways to conduct its malicious undertaking. The malware can steal user credentials by logging text entered into login fields. In the case that a user's account is protected by SMS two-factor authentication (2FA), SharkBot can bypass this protection by reading SMS messages to steal authentication codes. The malware is also capable of overlaying fake login screens directly over targeted financial apps. The fake login screens appear legitimate but actually steal entered user credentials. Additionally, threat actors can use SharkBot to remotely control infected devices. All of these capabilities are scary enough, but a new version of SharkBot has entered the wild with the further ability to steal user session cookies.
Threat actors distribute the malware by submitting apps to the Google Play Store that come packaged with a malware dropper utility. Once an unsuspecting user installs one of these apps, the dropper reaches out to a command-and-control (C2) server and downloads the full SharkBot malware payload. Previous versions of the SharkBotDropper abused accessibility services to automatically install the malware payload. However, researchers at Fox IT recently found a new version of the dropper that prompts users to install the malware themselves, falsely informing users that the APK file contains an app update.
The researchers found two apps on the Google Play Store that contain this updated malware dropper: Mister Phone Cleaner and Kylhavy Mobile Security. Between them, the two apps have a total of 60,000 downloads. As of the time of writing, Google appears to have removed the Kylhavy Mobile Security app from the Play Store but hasn’t yet delisted Mister Phone Cleaner. Hopefully, Google will remove the latter app shortly, but removing an app from the Play Store won’t remove it from affected users’ devices. Those with these malicious apps already installed on their devices will need to manually remove the apps themselves.
The researchers found two apps on the Google Play Store that contain this updated malware dropper: Mister Phone Cleaner and Kylhavy Mobile Security. Between them, the two apps have a total of 60,000 downloads. As of the time of writing, Google appears to have removed the Kylhavy Mobile Security app from the Play Store but hasn’t yet delisted Mister Phone Cleaner. Hopefully, Google will remove the latter app shortly, but removing an app from the Play Store won’t remove it from affected users’ devices. Those with these malicious apps already installed on their devices will need to manually remove the apps themselves.
