The SharkBot malware-targeting crypto app is back on the Google Play store

By: Henry Felix

The SharkBot malware-targeting crypto app is back on the Google Play store

September 5, 2022 8:51 AM

Since its discovery in October of last year, the SharkBot malware family has been constantly developing new methods of infiltrating Android-based crypto and banking apps.

Malware that targets banking and cryptocurrency apps has recently reappeared on Google Play, this time with the ability to steal login cookies and avoid authentication methods like fingerprints or passcodes.


On September 2, malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel issued a warning about the new variant of the malware on their respective Twitter accounts, linking to an article they had written together for the Fox IT blog.



As reported by Segura on August 22nd, the updated malware "can perform overlay attacks, steal data through keylogging, intercept SMS messages, or give threat actors complete remote control of the host device by abusing the Accessibility Services."


Two popular Android apps, "Mister Phone Cleaner" and "Kylhavy Mobile Security," both of which have been downloaded more than 50,000 and 10,000 times, respectively, since the new malware version was discovered in them.


Google's automated code review initially passed the two apps, but they were later removed from the Play Store after discovering malicious code.


Those who have already downloaded and installed the apps may be at risk, according to some observers, who advise against doing so.


Twenty-two targets, including five cryptocurrency exchanges and a number of international banks in the United States, the United Kingdom, and Italy, were identified by SharkBot, according to an in-depth analysis conducted by Italian security firm Cleafy.


The original SharkBot malware "relied on accessibility permissions to automatically perform the installation of the dropper SharkBot malware."


This new variant is distinguished from previous versions in that it "asks the victim to install the malware as a fake update for the antivirus to stay protected against threats."


After being installed, SharkBot will steal the victim's valid session cookie whenever they log into their bank or cryptocurrency account using the "logsCookie" command, effectively evading any fingerprinting or authentication measures.



In October of 2021, Cleafy uncovered the first instance of the SharkBot malware.


Based on Cleafy's initial analysis, SharkBot's primary objective was "to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms."