SharkBot is a new Android trojan (and botnet) capable of accessing various features on breached devices to obtain credentials related to banking and cryptocurrency platforms. Users in Italy, the U.K. and the U.S. have been targeted so far.
The Android banking threat was detected at the end of October 2021 by Cleafy researchers, who said they didn’t discover any references to existing malware families.
SharkBot Android Banking Trojan: Malicious Capabilities
As per the original report, the main goal of the banker is to initiate money transfers using Automatic Transfer Systems (ATS) techniques to bypass multi-factor authentication. By bypassing these security mechanisms, SharkBot circumvents detection techniques needed to identify suspicious money transfers.
Who is targeted? Primarily Android users in the U.K., the U.S., and Italy, with the high possibility of other botnets with other configurations and targets, which can be enabled by the botnet’s modular architecture. Currently, due to its multiple anti-analysis techniques, SharkBot has a very low detection rate. These techniques include string obfuscation routine, emulator detection, and a domain generation algorithm (DGA) for its network communication.
New Generation of Mobile Malware
The malware also utilizes the so-called overlay attacks to steal login credentials to cryptocurrency services and credit card details. This tactic is strengthened by the botnet’s capability to intercept legitimate banking communications sent via SMS.
“SharkBot belongs to a “new” generation of mobile malware, as it is able to perform ATS attacks inside the infected device,” the researchers said. ATS, or Automatic Transfer System, is an advanced technique allowing attackers to auto-fill fields in legitimate mobile banking apps to initiate money transfers on compromised Android devices.
The technique makes attacks highly efficient, where minimum user interaction is required. Based on their findings, the research team suspects that SharkBot is attempting to bypass behavioral detection countermeasures, such as biometrics, which are largely deployed by banks and financial services. To achieve this, the malware abuses Android Accessibility Services, thus circumventing the need of the so-called “new device enrollment,” the report said.
The exploit of Accessibility Services equips SharkBot with all crucial features of modern Android banking malware, including:
- Ability to perform classic Overlay Attacks against multiple applications to steal login credentials and credit card information;
- Ability to intercept/hide SMS messages;
- Enabling key-logging functionalities;
- Ability to obtain full remote control of an Android device (via Accessibility Services).
A curious fact is that the malware hasn’t been observed on Google Play Store, meaning that its primary distribution includes a combination of the side-loading techniques and social engineering schemes.