Researchers from cyber security firms Cleafy and ThreatFabric discovered SharkBot, a new Android banking trojan, at the end of October. The name is derived from one of the domains used for the company’s command and control servers.
The analysis published by the researchers, “”SharkBot is a “new” generation of mobile malware because it can perform ATS attacks inside the infected device.” This technique has recently been used by other banking trojans, such as Gustuff.”
“ATS (Automatic Transfer System) is an advanced attack technique that allows attackers to auto-fill fields in mobile banking apps and initiate money transfers from compromised devices.”
It takes advantage of device accessibility features to steal credentials from banking and cryptocurrency services. The malware is designed to target 27 different including 22 unnamed international banks in Italy and the United Kingdom, as well as five cryptocurrency apps in the United States.
The trojan is capable of trying to hijack user’s mobile devices and stealing funds from their online banking and cryptocurrency accounts.
After installing the banking Trojan on the user’s device, threat actors can steal sensitive banking information and credit card information by misusing Accessibility Services (i.e. login credentials, personal information, current balance, etc)
SharkBot is also notable for the measures it takes to avoid detection and analysis, such as running emulator checks, encrypting command-and-control communications with a remote server, and hiding the app’s icon from the home screen after installation. There are no samples of the malware on the official Google Play Store that the malicious software is not available.
Moreover, SharkBot appeared to have all the main features of Android banking trojan achieved by abusing Accessibility Servicessuch as:
- Ability to perform classic Overlay Attacks against multiple applications to steal login credentials and credit card information
- Ability to intercept/hide SMS messages
- Enabling key-logging functionalities
- Ability to obtain full remote control of an Android device (via Accessibility Services)
The report concluded that , “With the discovery of SharkBot, we have shown new evidence about how mobile malwares are rapidly finding new ways to perform fraud, attempting to bypass behavioural detection countermeasures put in place by multiple banks and financial services over the last years,”
Indicator of Compromise
|App Name||Media Player HD|