The cryptocurrency market capitalization is valued at around $1 trillion today. With increasing activity on the metaverse and new avenues of crypto-enabled trading channels including NFTs (non-fungible tokens), it seems the future has arrived. However, this has also become a potent battleground for cyber criminals to siphon off the funds of normal users.
In the last few months, multiple apps on Google Play have been detected targeting users who are crypto trading or investing in cryptocurrencies. Recently, the SharkBot malware was detected in the form of ‘Kylhavy Mobile Security’ and ‘Mister Phone Cleaner’ applications on the Google Play Store.
What is SharkBot malware?
SharkBot malware is built to attack crypto and financial applications. It affects the user’s devices once these apps are installed. It is capable of stealing cookies from the user account and bypassing any authentication type including fingerprints. SharkBot malware is documented by malware analyst Alberto Segura to warn Android users.
This malicious malware app is already downloaded by over 1,00,000 Android users. The malware is disguised as an application to trade exchanges and cryptocurrencies. It tricks the user to grant access to their crypto account by providing the login data.
How does SharkBot malware work?
The SharkBot malware uses the user’s email address and name to create an account on the device. After creating an account, it logs into the accounts of targeted crypto exchanges and tries to steal the login data. It also attempts to access the user’s two-factor authentication code from the application. If the process is executed successfully, hackers get full access to the victim’s account to steal funds and cryptocurrencies.
SharkBot was first detected in 2018. Its reappearance has raised doubts about the more malicious applications in Google Play Store sitting to attack cryptocurrency users. When it was detected again in March 2022, it was only capable of executing overlay attacks, intercepting SMS, stealing data through keylogging, or giving cybercriminals complete control of the host device by misusing accessibility services.
However, when SharkBot 2 was detected in May 2022, the malware was updated with a domain generation algorithm (DGA), a refactored code, and an updated communication protocol.
SharkBot 2.25 version is more sophisticated
SharkBot 2.25 version doesn’t abuse Accessibility Services like before to install malware on the device. The new version of the dropper for SharkBot directly makes a request to the C2 server for an APK file of the SharkBot.
Instead of using a download link of the app and following the regular steps to install the malware app through the Automatic Transfer System feature, it now leverages encrypted POST requests to download SharkBot.
After the installation is done, the dropper application contacts the control and commands the C2 server requesting the SharkBot APK file. It then uses the RC4 algorithm to store hard-coded configuration in an encrypted manner making automatic detection of malware more difficult.
SharkBot malware loves cookies
The 2.25 version of the malware was detected in August 2022. It is also capable of stealing the cookies of bank account logins. Whenever the user logs in to their banking application, SharkBot steals the valid session cookies by using the “logsCookie” command and sends them to C2.
Cookies help to easily takeover accounts as they carry location and software parameters that help in bypassing fingerprint scans and user authentication tokens in some cases. It uses the keylogging feature to steal sensitive data directly from the targeted application.
How to detect SharkBot malware?
SharkBot malware is not easy to detect. You can try preventing its attack by continuously looking for suspicious activity. Here are a few tips that might alert you about malware.
- Abrupt and unexpected funds withdrawal from your account or an increase in account balance could be done by the malware
- Password reset request email from your crypto exchange that you haven’t initiated
- Download applications from reliable sources. If you are downloading an app from an unknown source, make sure to read reviews and look for signs of any malicious activity
- Enable all applications on your device to receive automatic updates. This will help you keep the latest app versions with patches for security vulnerabilities
- Install a reliable mobile security solution capable of identifying and removing malicious applications from the device. An anti-virus acts as the first line of defence against any malware threat including SharkBot
If you notice any suspicious activity, you can report it to your cryptocurrency exchange. However, you might not get the funds back.
SharkBot malware is found to be active in Europe and the USA. It is expected to evolve more and infect devices rapidly and globally. Right now, being vigilant is the only solution to prevent this malware from your devices.
Cybersecurity has become essential for both businesses and individuals. Lack of cyber security awareness and security loopholes could result in massive financial and personal data losses. With increasing digitization, cybercriminals are bound to get more active. Businesses need to leverage robust cyber security testing companies to keep cyber criminals at bay and deliver a more secure and reliable app user experience.
Author: Kano Anafora
Newslibre is a media company that provides informative news, technology, entertainment, web, startups, gadgets, and open source projects across the world and Uganda.