SharkBot Trojan Targets Bank and Cryptocurrency CredentialsAttacks Are Widespread Across the UK, Italy and the US
A newly identified banking Trojan dubbed SharkBot is now targeting banking and cryptocurrency service customers across the U.K., Italy and the U.S. through a sideloading campaign and/or a social engineering campaign that attempts to "initiate money transfers from the compromised devices via automatic transfer system techniques, bypassing multifactor authentication mechanisms such as strong customer authentication, according to the Cleafy threat intelligence research team.
The malware has targeted customers of 22 different banks across the U.K. and Italy and five cryptocurrency services in the U.S., but it's not clear how many individual victims there have been or who's behind the campaign, the researchers say. They note that no references to this malware were found even on the underground hacking forums and add, "This makes us think that SharkBot is still a private botnet."
The SharkBot Trojan
Researchers at Cleafy discovered this new Android banking Trojan at the end of October. The Trojan allows attackers to steal sensitive banking and cryptocurrency information - including user credentials, personal information and current balance - and to perform actions and clicks on the infected device.
SharkBot masquerades as a legitimate app using common names and icons, such as media player, live TV, or data recovery apps.
Traditionally, a banking Trojan is specifically used to harvest credentials and other sensitive financial and personal information stored in a device so that it can be leveraged by threat actors in future online frauds or phishing campaigns. But SharkBot goes beyond that, the researchers say.
It uses an Automatic Transfer Systems technique to automate the process of stealing funds from users' accounts, the researchers note. They explain that ATS allows attackers to automatically fill in the fields on an infected device with minimal human input, which facilitates fraudulent money transfers through legitimate banking and cryptocurrency service apps.
SharkBot has two main features. The first one enables it to read and hide SMS messages received on the infected user's device, which is widely used for capturing 2FA/MFA messages sent by banks. The second is overlay attack, which helps exfiltrate login credentials of banking and cryptocurrency apps and credit card data. The researchers note that SharkBot uses these features to bypass 2FA behavioral biometric analytics and detection and mechanisms.
The apps that SharkBot masquerades as are not available in the Google Play Store, the researchers note. They say this means the threat actors are convincing their victims through social engineering techniques to sideload the app on their device.
Sideloading is a process in which an app is installed on the device by copying the APK installer onto the device and by manually installing it. This method also bypasses the checks of the app store, the researchers say.
Exploiting Android Accessibility
To use ATS, the Trojan needs a certain level of access rights to carry out its spying operations. Once SharkBot is successfully installed, no icon is displayed on the device, but the Trojan keeps prompting the user to grant it access to the Android Accessibility service, which is a feature that automates certain tasks for physically impaired users. The researchers say that access to this feature enables the Trojan to monitor and perform the following tasks:
- Remotely control the Android device;
- Intercept and/or hide SMS messages;
- Install keyloggers and exfiltrate credentials;
- Initiate overlay attacks by showing fake pop-ups and convince users to click on them;
- Bypass Android’s doze component and stay connected to the C2 servers.
Citing the examples of TeaBot and UBEL malware, researchers say that usually a malware uses one of two evasion techniques to avoid detection, but SharkBot uses several anti-analysis and detection techniques. Some of the most notable are:
- Obfuscation: This slows down the static analysis and hides all the commands and important information used by the malware.
- Anti-emulator: When the malicious application is installed on the device, it checks if the device is an emulator or a real phone. This technique is usually used to bypass sandboxes or common emulators.
- External ATS module: Once installed, the malware downloads an additional module from the C2. The external module is a “.jar” file that contains all the functionality used to perform the ATS attacks. So this functionality cannot be found when analyzing the APK.
- Anti-delete: Like other malware, SharkBot uses the Accessibility Services of Android to prevent users from uninstalling the malicious application from the settings options.
- Encrypted communication: All the communication between the malware and C2 are encrypted and encoded with Base64. In addition to this, SharkBot uses a Domain Generator Algorithm (DGA).
Researchers note that the SharkBot Trojan currently has a very low detection rate among antivirus solutions and only 20 out of 62 antivirus vendors, at the time of this writing, were able to detect it.
The Latest Update
According to an Android malware analyst known on Twitter as @_icebre4ker_, the SharkBot Trojan has now added a new command: "collectContacts" that - as the name suggests - seems to be collecting all contact details from the victim’s device. Separately, the analyst has shared a downloadable sample of the Trojan, claiming that SharkBot has now started encrypting the device database.
Mobile Devices: A False Sense of Security
Mobile devices are often considered "safe" compared to desktop computers, Uriel Maimon, senior director of emerging technologies at PerimeterX notes, telling ISMG: “This is due to the perception that desktop operating systems and applications can get infected with malware and vulnerabilities, while mobile devices, which are more in line with consumer electronics, can’t be exploited. This is very clearly not the case, and mobile devices are exposed to both online theft and actual physical theft of the device itself.”
In fact, bank account-stealing Trojans have been around since at least the late 1990s, according to Roger Grimes, data-driven defense evangelist at KnowBe4, so they certainly are not new. Grimes says: "Mobile browsing is increasingly becoming the primary internet access method, so it only makes sense that mobile versions would continue to proliferate. Although SharkBot is not the first mobile or most prolific, bank or crypto account-stealing Trojans are yet another example of the increasing sophistication that malware writers are using to evade detection and analysis. It is also continued evidence that MFA logins will not solve the problem of malware and hackers.
"The only hope is to train people on how to avoid common social engineering attacks that target mobile phone users, in this instance, because once someone's cellphone is compromised, it is game over. The only hope is prevention. And you can prevent the vast majority of these attacks by training people on how to avoid getting tricked into installing Trojan horse malware."
Maimon adds, "This new SharkBot Android banking Trojan underscores the need for companies to monitor all user transactions from a behavioral standpoint. They should also ensure they have the ability to affect interventions and stop malicious actions, since any account can be taken over at any time."