A new updated version of a malware app that attacks bank accounts and cryptocurrencies has recently reappeared on the Google Play store.now with the ability to steal cookies from account logins and bypass fingerprint or authentication requirements.
The malware analyst Alberto Segura and treatment intelligence analyst Mike Stokkel shared a warning about the new version of the malware on their Twitter accounts on Friday, sharing their co-authored article on the Fox IT blog..
We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! great job @Mike_stokkel! https://t.co/uXt7qgcCXb
– Alberto Segura (@alberto__segura) September 2, 2022
We discovered a new version of #SharkbotDropper on Google Play used to download and install Sharkbot! The found droppers were used in a campaign targeting the UK and IT! Great job @Mike_stokkel! https://t.co/uXt7qgcCXb
According to Segura, the new version of the malware was discovered on August 22 and can “perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing Accessibility Services “.
The new version of the malware was found in two Android apps, Mister Phone Cleaner and Kylhavy Mobile Security.which have amassed 50,000 and 10,000 downloads, respectively.
The two apps were initially able to make it to the Play Store as Google’s automated code review did not detect any malicious code, although they have since been removed from the store..
Some observers suggest that users who installed the apps may still be at risk and should manually remove them.
An in-depth analysis by the Italian security company Cleafy discovered that SharkBot had identified 22 targets, including five cryptocurrency exchanges and several international banks from the US, UK, and Italy..
Regarding the attack mode of the malware, previous version of SharkBot malware “relied on accessibility permissions to automatically install SharkBot dropper malware”.
Nevertheless, this new version is different in that it “asks the victim to install the malware as a fake antivirus update to stay protected against threats”.
Once installed, if the victim logs into their bank or crypto account, SharkBot is able to snatch their valid session cookie via the “logsCookie” command, which essentially bypasses any fingerprint or authentication methods used.
This is interesting!
Sharkbot Android malware is canceling the “Log in with your fingerprint” dialogs so that users are forced to enter the username and password
(according to @foxit blog posts) pic.twitter.com/fmEfM5h8Gu— Łukasz (@maldr0id) September 3, 2022
This is interesting. Sharkbot malware for Android overrides “Sign in with your fingerprint” dialogs so users are forced to enter username and password (per @foxit blog post) pic.twitter.com/ fmEfM5h8Gu
The first version of the SharkBot malware was first discovered by Cleafy in October 2021.
According to Cleafy’s first analysis of SharkBot, SharkBot’s main objective was to “initiate money transfers from compromised devices through the Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms”.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.