SharkBot Android Trojan

SharkBot Android Trojan Description

An attack operation involving a new Android Trojan named SharkBot has been uncovered by the researchers. The threat is being deployed across multiple countries and geographical regions. The goal of the attackers is to collect sensitive information from their victims, such as account credentials and payment details. The current versions of SharkBot are capable of impersonating and affecting 27 targeted applications. Out of them, 22 belong to banks from Italy and the UK while 5 are cryptocurrency applications from the US. 

Threatening Functionality

SharkBot doesn't exhibit any overlaps with the existing mobile banking Trojan families and is believed to be a custom-built threat that is still under active development. It is capable of performing the usual intrusive actions associated with this malware type. By exploiting the legitimate Android Accessibility services, it can perform overlay attacks by showing fake login screens for the targeted apps and then siphoning the entered information. Furthermore, SharkBot can intercept the SMS messages on the breached device, establish keylogging routines, etc.

However, the main goal of SharkBot is to initiate money transfers on the infected devices. By employing an Automatic Transfer Systems (ATS) technique, it can counter several multi-factor authentication mechanisms successfully. The ATS attack allows the cybercriminals to conduct money transfers by auto-filling the required fields of legitimate mobile banking applications and then wiring the victim's funds to a money mule network.

SharkBot also has a robust set of anti-detection and evasion techniques. It performs multiple checks for emulators running on the device while also hiding its own icon from the home screen. The threat's communication with its Command-and-Control (C2, C&C) server is encrypted with a strong algorithm.  

Distribution

The threat is spread via weaponized applications that pretend to offer useful features. The applications could pose as media players, data recovery tools, or applications offering streaming and live TV services. It should be noted that so far none of the SharkBot applications have managed to breach the security of the Google Play Store. Instead, the attackers are most likely relying on third-party application platforms, side-loading techniques, or tricking users through various social-engineering tactics.