A new Android banking trojan named SharkBot was discovered by researchers from cyber security firms Cleafy and ThreatFabric. It is named after one of the domains used for its command and control servers.
The malware which has been active at least since late October 2021, is targeting the mobile users of banks in Italy, the UK, and the US. The trojan allows to hijack users’ mobile devices and steal funds from online banking and cryptocurrency accounts.
Once the banking Trojan is installed on the victim’s device, threat actors can steal sensitive banking information by abusing Accessibility Services (i.e. login credentials, personal information, current balance, etc.).
SharkBot implements overlay attacks to steal login credentials and credit card information. SharkBot has a very low detection rate.
The malware implements multiple anti-analysis techniques, including string obfuscation routine, emulator detection and a domain generation algorithm (DGA).
The researchers stated that SharkBot belongs to a “new” generation of mobile malware, as it is able to perform ATS attacks inside the infected device. This technique was seen in other new banking trojans, such as Gustuff. ATS (Automatic Transfer System) is an advanced attack technique which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices.
The Trojan can read and hide SMS received from the infected user, a capability that allows attackers to intercept 2FA sent by the bank via SMSs.
The experts did not find any samples of the malware on the official Google Play Store. The malicious code is delivered on the users’ devices using both the side-loading technique and social engineering schemes.
As of now, the SharkBot can interact with the apps of 22 banks.