September 12, 2022

Sharkbot V2

Lookout Coverage and Recommendation for Admins

While this particular piece of malware targets mobile banking apps, the same tactic could be used to target accounts for work-related apps like Google Drive, Office 365, and Outlook. This would pose serious risk for any organization that relies on these apps for their employees to be productive from their mobile devices.

Lookout customers are protected against all versions of Sharkbot. Security telemetry from over 269 million mobile apps and 215 million mobile devices helps Lookout automatically detect and protect users against new iterations of existing malware. Admins should be sure that the Trojan policy is enabled in their Lookout console and can choose to alert the device or block it from accessing corporate apps

Overview

In early September 2022, threat researchers discovered multiple Google Play listings for dropper apps which installed the infamous mobile banking trojan Sharkbot. Since originally being discovered in late 2021, this Android malware has been used by financially motivated threat actors - targeting both banking apps as well as cryptocurrency apps and exchanges. Recent versions of Sharkbot dropper apps deliver an evolved version of the banking trojan that researchers are referring to as Sharkbot V2, and it includes an updated communication mechanism to C2 servers, a domain generation algorithm (DGA) and a fully refactored code base. It also now targets customers of banks in the UK, Italy, Spain, Australia, Poland, Germany, United States of America and Austria.

Lookout Analysis

The two dropper apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, no longer rely on Accessibility permissions to automatically download and install the Sharkbot trojan. The malware is now installed under the guise of being an update to the two apps. They use a less sophisticated approach than previously-seen Sharkbot droppers, relying on the user unwittingly allowing the installation of the malicious package rather than attempting to implant the payload onto the user’s device automatically. This is simpler from a code perspective and likely is a deliberate decision by the threat actors to prevent the dropper’s code from being scrutinized. In addition to containing relatively little malicious code, the apps on the Play Store also leverage localization checks to maintain a low profile and limit attempts to drop the malicious package only to devices that match the intended victim profile.

Authors

No items found.
Platform(s) Affected
Android
Threat Type
Malware
Threat Type
Crimeware
Entry Type
Threat Guidances
Platform(s) Affected
Android
Malware
Crimeware
Threat Guidances

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell