New SharkBot Trojan Spread Via Mobile Security Apps

The operators behind banking Trojan SharkBot have taken to Google Play to find their next victims. They are distributing an updated version of the malware on now-deactivated applications that already have tens of thousands of installations.

See Also: Webinar | Prevent, Detect & Restore: Data Security Backup Systems Made Easy

The malicious apps, called Mister Phone Cleaner and Kylhavy Mobile Security, have been downloaded 50,000 and 10,000 times, respectively, cybersecurity firm Fox-IT says. The malware primarily targets victims in Spain, Australia, Poland, Germany, the United States and Austria, the company says.

Cybersecurity researchers at Cleafy identified the Trojan back in October 2021, when the operators targeted banking and crypto service customers in the United Kingdom, Italy and the U.S. via sideloading and social engineering campaigns. At the time, they tricked users into downloading applications masquerading as media player, live TV and data recovery apps; gained accessibility permissions to automatically install the dropper; and initiated money transfers from the compromised devices.

But SharkBot no longer relies on these methods. The updated malware lures victims into installing the malware on the pretext of updating the antivirus protection on their devices via the aforementioned cleaning and security apps, the company says. It also no longer targets victims in Italy or the U.K.

Traditionally, a banking Trojan harvests user credentials and other sensitive financial and personal information stored in a device, to be used in future online frauds or phishing campaigns. But SharkBot’s latest version also steals session cookies from victims that include data from when they log into their bank accounts.

The updated malware detects the action of a victim opening a banking application and performs an additional injection or an overlay attack to steal credentials. It shows the victims a phishing website in web view when the banking application is opened, stealing the credentials they use to log in via the fake website.

The updated malware also has a keylogging feature, which allows it to receive every accessibility event produced in the infected device. “This way, it can log events such as button clicks, changes in TextFields, etc., and finally send them to the command and control center,” the Fox-IT researchers say. The malware can also intercept SMS and remotely control some accessibility events on the victim devices.

Bad actors can bypass security measures and make financial transactions using the victims’ own devices, says Alberto Segura, a malware analyst at Fox-IT. He adds that there had been no “big changes” in the malware until the latest version 2.25.