Pretend Antivirus and Cleaner Apps Caught Putting in SharkBot Android Banking Trojan

Pretend Antivirus and Cleaner Apps Caught Putting in SharkBot Android Banking Trojan

The infamous Android banking trojan often known as SharkBot has as soon as once more made an look on the Google Play Retailer by masquerading as antivirus and cleaner apps.

“This new dropper does not depend on Accessibility permissions to routinely carry out the set up of the dropper Sharkbot malware,” NCC Group’s Fox-IT said in a report. “As an alternative, this new model asks the sufferer to put in the malware as a pretend replace for the antivirus to remain protected towards threats.”

The apps in query, Mister Telephone Cleaner and Kylhavy Cell Safety, have over 60,000 installations between them and are designed to focus on customers in Spain, Australia, Poland, Germany, the U.S., and Austria –

  • Mister Telephone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads)
  • Kylhavy Cell Safety (com.kylhavy.antivirus, 10,000+ downloads)

The droppers are designed to drop a brand new model of SharkBot, dubbed V2 by Dutch safety agency ThreatFabric, which options an up to date command-and-control (C2) communication mechanism, a website technology algorithm (DGA), and a completely refactored codebase.

Fox-IT mentioned it found a more recent model 2.25 on August 22, 2022, that introduces a perform to siphon cookies when victims log in to their financial institution accounts, whereas additionally eradicating the flexibility to routinely reply to incoming messages with hyperlinks to the malware for propagation.

By eschewing the Accessibility permissions for putting in SharkBot, the event highlights that the operators are actively tweaking their methods to keep away from detection, to not point out discover different strategies within the face of Google’s newly imposed restrictions to curtail the abuse of the APIs.


Different notable info stealing capabilities embody injecting pretend overlays to reap checking account credentials, logging keystrokes, intercepting SMS messages, and finishing up fraudulent fund transfers utilizing the Automated Switch System (ATS).

It is no shock that malware poses an evolving and omnipresent risk, and regardless of continued efforts on the a part of Apple and Google, app shops are susceptible to unknowingly being abused for distribution, with the builders of those apps making an attempt each trick within the ebook to dodge safety checks.

“Till now, SharkBot’s builders appear to have been specializing in the dropper with a view to hold utilizing Google Play Retailer to distribute their malware within the newest campaigns,” researchers Alberto Segura and Mike Stokkel mentioned.