It can bypass two-factor authentication
Cybersecurity experts have discovered a new malware which is targeting banking apps and crypto exchanges in Android smartphones.
It was discovered by Cleafy, a team of cybersecurity experts that helps banks and financial institutions scale-up to fight against online fraud.
Named “SharkBot” by Cleafy, this trojan hacks into the banking apps installed on infected devices and “initiate money transfers bypassing multi-factor authentication.”
BREAKING NEWS: we have tracked down a new Android banking malware, SharkBot.— .Cleafy (@Cleafy) November 5, 2021
It can bypass Behavioral detections by leveraging ATS techniques.
So far, traces show that it is actively targeting banks in UK and Italy.
Stay tuned for a Technical Analysis, coming soon on @cleafylabs pic.twitter.com/HxIPjwZNbT
“Once SharkBot is successfully installed in the victim’s device, attackers can obtain sensitive banking information through the abuse of Accessibility Services, such as credentials, personal information, current balance, etc., but also to perform gestures on the infected device,” said Cleafy in its report.
Trojan is a malicious code or software which enters into the victim’s device unnoticed and then takes control of the device.
A Trojan, once installed, can read text, record keyboard strokes and give a doorway to more malware. It can even wipe clean the entire device or take it hostage by blocking data, modifying data and disrupting the device’s performance.
SharkBot is being categorized as a lethal malware because it is only targeting banking apps and crypto exchanges, and initiating bank transfers.
It’s new generation technology and sophisticated working makes it even harder to detect.
Cleafy indetified 22 different targets including international banks from UK and Italy and 5 different cryptocurrency services which are attacked by SharkBot.
SharkBot hides itself as a legitimate application on a device. After it is installed, no icon is displayed while the malware gets all the permissions it needs by activating Android Accessibility Services.
However, the permission to activate accessibility services are given by users themselves.
What SharkBot does is that it keeps showing a popup on the screen to allow access to these services. After seeing it appear multiple times on their screens, users allow the access.
SharkBot is not available on Google Play Store. It means that there is no possibility of it entering a device through app installation.
It is installed on devices using side-loading technique and social engineering schemes.
Sideloading is a process in which files are transferred between two deices – mobile phone to mobile phone or computer to mobile phone or mobile phone to computer.
It also applies to the transfer of apps from web sources that are not secure.
SharkBot implements an overlay on mobile phones so that users enter passwords into a wrong app. It also intercepts text message to get access to secret codes, logs key strokes and also bypass two-factor authentication.
However, even after gaining access to all the accessibility features, SharkBot only uses a subsection of these features. The malware activates only when:
Once activated, SharkBot auto-fills all the fields in banking apps and initiate money transfers.
Since it also has access to text messages and notification, it can also read one-time password (OTP) sent to user by the bank.
Cleafy says that SharkBot has a very low detection rate by antivirus software. The bot implements multiple techniques to avoid detection. The malware has been written from scratch which makes its detection even more difficult