Hi Guys,

I hope you are doing good. All is well here :-).

Ok, here we go, another week, another set of malicious applications trying to empty your bank account. Researchers from Fox-IT have discovered a new version of the SharkBot banking malware hiding inside two applications currently available for download on the Google Play Store. If you have these two applications on your phone, please delete them straight away and contact our support team for assistance:

  • Mister Phone Cleaner
    Developer: Kristine Soft
  • Kylhavy Mobile Security
    Developer: Kylhavy Mobile Ltd

What is Sharkbot?
SharkBot is a banking trojan that has been active since October 2021. It allows its creators to steal banking account credentials and bypass multi-factor authentication mechanisms. Here is a list of its main features:

  • Injections (overlay attack): SharkBot can steal credentials by showing a WebView with a fake login website (phishing) as soon as it detects the official banking app has been opened.
  • Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text field changes and buttons clicked) and sending these logs to the command and control server (C2).
  • SMS intercept: Sharkbot can intercept/hide SMS messages.
  • Remote control/ATS: Sharkbot can obtain complete remote control of an Android device (via Accessibility Services).
  • Sharkbot attempts to make automatic money transfers from any bank account attached to your smartphone. It does this by simulating the screen and keyboard presses on your phone. This malware can empty your bank account in seconds.

How can you stay safe?

In addition to removing the two guilty applications above:

  • Only install apps from the Google Play Store; before installing, check how many reviews the app has. (This is the most important thing to do)
  • Never install an app from a website that you do not trust. You can use Incognito Website Checker, and we will tell you if it is safe or not.
  • During installation, pay attention to the requested permissions and do not grant any permissions that appear unnecessary for the app’s core functionality.
  • You can also use Incognito’s App Check tool to check what permissions an installed app already has on your device. If you use this feature, you will be stunned by some of your installed apps’ permissions. I suggest you use this tool to check what apps have permissions on your device. Does a torchlight app need to be able to make phone calls etc.?
  • Keep an eye on battery consumption; if your device goes dead fast, it is a clear sign go malware infection
  • Also, keep an eye on network traffic volumes to identify any spikes, as this can be a sign of malicious processes running in the background.

Thanks, and please let me know if you need any assistance.

All the best,
Max Roberts
Incognito Privacy Care.