company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

SharkBot

Malware

Android

loading..
loading..
loading..

New SharkBot is back in action targeting login details on Google Play

Following the discovery of the SharkBot Dropper on Google Play in February 2022, which masqueraded as a false Android antivirus, a new variant of this dropper e...

05-Sep-2022
4 min read

Hackers are leveraging a new and improved version of the SharkBot malware to steal banking credentials from Android users by distributing malicious software disguised as legitimate apps that have been downloaded and installed by tens of thousands.

Two different Android apps included malware, despite passing Google's automated security checks for malicious code. SharkBot, however, is only available after the dropper programs have been installed and launched via an update.

Fox IT, part of the NCC Group, wrote a blog post in which they named "Mister Phone Cleaner" and "Kylhavy Mobile Security" as the two malicious apps, and they claimed that the two had a combined total of 60,000 installations.

GPlay Dropper 50k.jpg GPlay Dropper.jpg

These are the two programs that have decided to stop using SharkBot (Fox IT)

Both apps have been deleted from Google Play, but any users who have already installed them should uninstall them manually.

Evolution of the SharkBot Malware

In October 2021, SharkBot was found by malware analysts at Cleafy, an Italian firm specializing in online fraud management and protection. NCC Group discovered the first apps supporting it in March 2022 on Google Play.

The malware might launch overlay assaults, collect information via keylogging, intercept SMS messages, or grant the host device remote control to the threat actors by abusing the Accessibility Services.

ThreatFabric discovered SharkBot 2 in May of 2022; it had a new domain generation algorithm (DGA), a different communication protocol, and a completely rewritten codebase.

Fox IT found a new malware variant on August 22 with the capability to collect banking login cookies.

Also, the modern dropper apps are more respectful of Accessibility Services.

"The dropper could use automated clicks on all the buttons in the UI to install Sharkbot by abusing accessibility capabilities. However, such is not the case with the latest dropper for Sharkbot." - Fox IT.

Instead, the dropper will ask the C2 server to provide the Sharkbot APK file directly to the dropper's destination. Fox IT said it would no longer get the "Automatic Transfer Systems" (ATS) instructions for installing malware through email.

Download Payload Request.jpg

POST request with encryption to get SharkBot (Fox IT)

Once SharkBot is installed, the dropper app will contact the C2 server to obtain the malicious APK file. Once an update is found, the dropper will notify the user and request permission to install the APK.

SharkBot uses the RC4 encryption technology to protect its hard-coded configuration file, making it more difficult for automated detection systems to locate it.

Shark with a sweet tooth for cookies

On top of the existing overlay, SMS intercept, remote control, and keylogging components, SharkBot 2.25 includes a cookie logger.

Get Cookies.jpg

Updated cookie-theft feature (Fox IT)

SharkBot has a new command (called "logsCookie") to steal the victim's valid session cookie when they log into their financial institution.

By storing software and geographical parameters, cookies are helpful for account takeover since they can be used to evade fingerprinting checks and, in some situations, the user authentication token itself.

Fox IT spotted new SharkBot ads during the inquiry in both Europe (Spain, Austria, Germany, Poland, and Austria) and the United States. The malware utilized in these attacks features a keylogging function, allowing the researchers to steal sensitive data in transit from the legitimate app.

Fox IT anticipates the continuation of SharkBot activities and the subsequent modification of the malware now that an updated version of it is readily available.

Indicators of compromise

SharkbotDropper samples published in Google Play:

`hxxps://play.google[.]com/store/apps/details?id=com.kylhavy.antivirus`
`hxxps://play.google[.]com/store/apps/details?id=com.mbkristine8.cleanmaster`

Dropper Command-and-control (C2):

`hxxp://mefika[.]me/`

Sharkbot 2.25 (introducing new Cookie stealing features):

**Hash:** `7f2248f5de8a74b3d1c48be0db574b1c6558d6edae347592b29dc5234337a5ff`
`C2: hxxp://browntrawler[.]store/ (185.212.47[.]113)`

Sharkbot v2.26 sample:

**Hash:** `870747141b1a2afcd76b4c6482ce0c3c21480ae3700d9cb9dd318aed0f963c58`
`C2: hxxp://browntrawler[.]store/ (185.212.47[.]113)`

DGA Active C2s:

`23080420d0d93913[.]live (185.212.47[.]113)`
`7f3e61be7bb7363d[.]live (185.212.47[.]113)`