Hackers are leveraging a new and improved version of the SharkBot malware to steal banking credentials from Android users by distributing malicious software disguised as legitimate apps that have been downloaded and installed by tens of thousands.

Two different Android apps included malware, despite passing Google's automated security checks for malicious code. SharkBot, however, is only available after the dropper programs have been installed and launched via an update.

Fox IT, part of the NCC Group, wrote a blog post in which they named "Mister Phone Cleaner" and "Kylhavy Mobile Security" as the two malicious apps, and they claimed that the two had a combined total of 60,000 installations.

These are the two programs that have decided to stop using SharkBot (Fox IT)

Both apps have been deleted from Google Play, but any users who have already installed them should uninstall them manually.

Evolution of the SharkBot Malware

In October 2021, SharkBot was found by malware analysts at Cleafy, an Italian firm specializing in online fraud management and protection. NCC Group discovered the first apps supporting it in March 2022 on Google Play.

The malware might launch overlay assaults, collect information via keylogging, intercept SMS messages, or grant the host device remote control to the threat actors by abusing the Accessibility Services.

ThreatFabric discovered SharkBot 2 in May of 2022; it had a new domain generation algorithm (DGA), a different communication protocol, and a completely rewritten codebase.

Fox IT found a new malware variant on August 22 with the capability to collect banking login cookies.

Also, the modern dropper apps are more respectful of Accessibility Services.

"The dropper could use automated clicks on all the buttons in the UI to install Sharkbot by abusing accessibility capabilities. However, such is not the case with the latest dropper for Sharkbot." - Fox IT.

Instead, the dropper will ask the C2 server to provide the Sharkbot APK file directly to the dropper's destination. Fox IT said it would no longer get the "Automatic Transfer Systems" (ATS) instructions for installing malware through email.

POST request with encryption to get SharkBot (Fox IT)

Once SharkBot is installed, the dropper app will contact the C2 server to obtain the malicious APK file. Once an update is found, the dropper will notify the user and request permission to install the APK.

SharkBot uses the RC4 encryption technology to protect its hard-coded configuration file, making it more difficult for automated detection systems to locate it.

Shark with a sweet tooth for cookies

On top of the existing overlay, SMS intercept, remote control, and keylogging components, SharkBot 2.25 includes a cookie logger.

Updated cookie-theft feature (Fox IT)

SharkBot has a new command (called "logsCookie") to steal the victim's valid session cookie when they log into their financial institution.

By storing software and geographical parameters, cookies are helpful for account takeover since they can be used to evade fingerprinting checks and, in some situations, the user authentication token itself.

Fox IT spotted new SharkBot ads during the inquiry in both Europe (Spain, Austria, Germany, Poland, and Austria) and the United States. The malware utilized in these attacks features a keylogging function, allowing the researchers to steal sensitive data in transit from the legitimate app.

Fox IT anticipates the continuation of SharkBot activities and the subsequent modification of the malware now that an updated version of it is readily available.

Indicators of compromise

SharkbotDropper samples published in Google Play:

`hxxps://play.google[.]com/store/apps/details?id=com.kylhavy.antivirus`
`hxxps://play.google[.]com/store/apps/details?id=com.mbkristine8.cleanmaster`

Dropper Command-and-control (C2):

`hxxp://mefika[.]me/`

Sharkbot 2.25 (introducing new Cookie stealing features):

**Hash:** `7f2248f5de8a74b3d1c48be0db574b1c6558d6edae347592b29dc5234337a5ff`
`C2: hxxp://browntrawler[.]store/ (185.212.47[.]113)`

Sharkbot v2.26 sample:

**Hash:** `870747141b1a2afcd76b4c6482ce0c3c21480ae3700d9cb9dd318aed0f963c58`
`C2: hxxp://browntrawler[.]store/ (185.212.47[.]113)`

DGA Active C2s:

`23080420d0d93913[.]live (185.212.47[.]113)`
`7f3e61be7bb7363d[.]live (185.212.47[.]113)`