SharkBot malware found on Google Play Store stealing login info again

Home/Malware, Mobile Security, Security Advisory, Security Update, Tips/SharkBot malware found on Google Play Store stealing login info again

SharkBot malware found on Google Play Store stealing login info again

The information stealing and banking data-targeting Android malware was found installed with the help of applications masquerading as antivirus or cleaner applications on the official Google Play Store. 


The notorious Android banking trojan known as SharkBot has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps.

The threat targets banking login information and spreads via applications that have already gathered tens of thousands of installations from the store. Two particular Android applications that have been used for the distribution of the infection had no malicious code or features when these programs got submitted.

This this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.

The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria –

  • Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads)
  • Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads)

New version of SharkBot Malware

New versions of the same malware, which can be called SharkBot 2.25, were discovered on August 22.

These campaigns show that on the capability list, the malware now has the function to steal cookies from bank account logins.

This malware can even make automatic detection more difficult with hard-coded configuration stored in decrypted form using the RC4 algorithm. The malware has the main goal of getting cookies that are valuable for taking over accounts.


Sample Hashes:

  • a56dacc093823dc1d266d68ddfba04b2265e613dcc4b69f350873b485b9e1f1c (Google Play SharkBotDropper)
  • 9701bef2231ecd20d52f8fd2defa4374bffc35a721e4be4519bda8f5f353e27a (Dropped SharkBot v1.64.1)

SharkBotDropper C2:

  • hxxp://statscodicefiscale[.]xyz/stats/

‘Auto/Direct Reply’ URL used to distribute the malware:

  • hxxps://bit[.]ly/34ArUxI

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2022-09-05T23:28:20+05:30 September 5th, 2022|Malware, Mobile Security, Security Advisory, Security Update, Tips|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!