The SharkBot trojan, unfavorably known to Google services, has managed to return to the Play Store by integrating antivirus and cleaning tools. A priorionly two applications are concerned… but they have already been downloaded several thousand times.
Impersonating harmless and yet being devastating is the essence of a Trojan, and that’s exactly what SharkBot has once again managed to do. The famous Android trojan is indeed illustrated by a new appearance on the Google Play Store… and of course, in a perfectly innocent form, at least at first glance.
Infection via an innocuous update…
” This new dropper does not rely on accessibility permissions to automatically install Sharkbot malware explains Fox-IT, the team of researchers behind the discovery. ” Instead, this new version asks the victim to install the malware as a fake antivirus update to stay protected from the threats. »
In this case, only two applications are concerned, at least at this stage: Mister Phone Cleaner and Kylhavy Mobile Security. It may not seem like much, but these two tools have already been downloaded more than 60,000 times in all (more than 50,000 times for the first and more than 10,000 times for the second). These apps are also designed to mainly target Spain, Poland, Germany, Austria, Australia and the United States.
Nearly 60,000 installations in all
As specified The Hacker News, these two applications open a door to installing the second version of SharkBot. The latter is even more harmful than the former: it notably features a new command and control (C2) communication mechanism, a domain generation algorithm (DGA) and a completely revamped code base, we read.
With this renewed arsenal, SharkBot can notably capture users’ cookies when they connect to their bank accounts, but also inject fake overlays to harvest banking credentials, record keyboard entries, intercept text messages or perform fraudulent fund transfers through the Automatic Transfer System (ATS).
Sources: Fox IT, The Hacker News
2