On Monday, a new Android malware was revealed to exploit devices’ accessibility to steal passwords from banking and cryptocurrency services in Italy, the United Kingdom, and the United States.
As of late October 2021, a new strain of malware, code-named “SharkBot,” has been discovered. By what has been revealed, the threat is aimed at 27 different organizations, including 22 unidentified multinational banks based in Italy and the United Kingdom, as well as five cryptocurrency applications in the United States.
According to the researchers, the primary purpose of SharkBot is to circumvent multi-factor authentication measures (e.g. SCA) in order to conduct money transfers from compromised devices using the Automatic Transfer Systems (ATS) methodology.
As soon as SharkBot is installed on the victim’s device, it is possible for attackers to get their hands on sensitive financial information, such as personal information, current balance, passwords and so on, simply by abusing Accessibility Services.
SharkBot, like its malware cousins TeaBot and UBEL, poses as a media player, live TV, or data recovery program to trick users into granting it wide permissions in order to collect their personal information. The exploitation of accessibility settings allows the operators to auto-fill forms in genuine mobile banking applications and begin money transfers from the hacked devices to the threat actor’s money mule network.
This method of operation effectively allows for the two-factor authentication protection put in place by the banking apps to be bypassed.
Among the techniques SharkBot uses to elude analysis and discovery is the use of emulator checks, encryption of command-and-control interactions with a remote server, and masking the app’s icon from the home screen after installation.
The additional capabilities of this banking trojan include the ability to perform overlay attacks for stealing login passwords and credit card information, intercepting genuine SMS banking interactions, enabling keylogging, and gaining complete remote control of affected devices.
So far, malware samples of the Trojan infecting users’ smartphones have not been found in the official Google Play Store, indicating that the threat is either sideloaded or delivered through social engineering techniques.