The widespread Android banking trojan SharkBot has made its way back onto the Google Play Store. This time it has disguised itself as antivirus and cleaner apps by the names of Mister Phone Cleaner and Kylhavy Mobile Security. The apps have around 60,000 total downloads combined and have been designed to primarily target Android users in Spain, Australia, Poland, Germany, the U.S., and Austria. SharkBot has received updated C2 server communication, a domain generation algorithm, and a recoded codebase. NCC Group’s Fox-IT said in a report, “This new dropper doesn’t rely on Accessibility permissions to automatically perform the installation of the dropper SharkBot malware. Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.” Some additional capabilities performed by the malware are injecting fake overlays to harvest bank account credentials, logging keystrokes, intercepting SMS messages, and carrying out fraudulent fund transfers using the Automated Transfer System.
It’s very difficult for a user to directly observe malicious behaviors initiated by SharkBot once it has installed itself as a legitimate application. There are less obvious ways for users to tell if they’ve become a victim: unrecognized account withdrawals, credit balance increases, or password reset emails that were not initiated by the account holder could indicate that they’ve become a victim. It is advised that users only downloaded trusted apps, always check reviews, and ensure automatic updates — which often include security patches — are turned on. A mobile security solution should be considered as well; this will lessen the chance of an organization’s user becoming a victim to malware such as SharkBot. Often, initial access is sold or traded to other threat groups: compromise of a user’s phone can lead to compromise of an organization’s network due to bring your own device (BYOD) policies in today’s remote work landscape.