Security researchers have discovered a new Android banking trojan that abuses Accessibility Services to steal sensitive banking info, such as login credentials and credit card information, and is also capable of intercepting legitimate banking communications sent through SMS.
Named SharkBot by researchers at Cleafy, the malware was first spotted at the end of October, 2021. SharkBot’s main goal is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms.
"Once SharkBot is successfully installed in the victim's device, attackers can obtain sensitive banking information through the abuse of Accessibility Services, such as credentials, personal information, current balance, etc., but also to perform gestures on the infected device," Cleafy said in a new report.
While SharkBot is considered to be a “new” generation of mobile malware, as it is able to perform ATS attacks inside the infected device, it also comes with all the features common for today’s Android banking trojans, including:
-
Ability to perform classic Overlay Attacks against multiple applications to steal login credentials and credit card information
-
Ability to intercept/hide SMS messages
-
Enabling key-logging functionalities
-
Ability to obtain full remote control of an Android device (via Accessibility Services)
The researchers said they had not found any SharkBot samples on Google's official marketplace, instead, the malware is distributed via side-loading technique and social engineering schemes.
The malware is designed to target a total of 27 targets, including 22 unnamed international banks in Italy and the U.K. as well as five cryptocurrency apps in the U.S.
Based on multiple indicators, Cleafy believes that SharkBot could be at its early stages of development.
"So far, SharkBot has a very low detection rate by antivirus solutions (only 3/62). This means that the malware has been written from scratch, in addition to the fact that it uses an external module, downloaded from the C2, containing the ATS core functionalities and anti-detections technique used to slow down the static and dynamic analysis," the researchers said.
"Analysing the underground hacking forums, we didn’t find any references to this malware. This makes us think that SharkBot is still a private botnet".