SharkBot Android banking Trojan cleans users out

SharkBot Android banking Trojan cleans users out

Researchers have discovered and analyzed a new Android banking Trojan that allows attackers to steal sensitive banking information such as user credentials, personal information, current balance, and even to perform gestures on the infected device.

According to the researchers, SharkBot demonstrates:

“…how mobile malwares are quickly finding new ways to perform fraud, trying to bypass behavioural detection countermeasures put in place by multiple banks and financial services during the last years.”

Type and source of the infection

A banking Trojan is a type of Trojan specifically created to harvest credentials and other sensitive financial and personal information stored and processed through online banking systems. This particular one, dubbed SharkBot by the researchers, goes beyond that, and uses uses an Automatic Transfer System (ATS) technique to automate the process of stealing funds from users’ accounts.

ATS allows attackers to automatically fill in fields on an infected device with minimal human input. It launches an autofill service to facilitate fraudulent money transfers through legitimate financial service apps. SharkBot uses this technique to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA).

SharkBot isn’t available in the Google Play Store, so the threat actors would have to convince victims to sideload the app on their device. Sideloading refers to installing an app onto the device by copying the APK installer onto the device and manually installing it on the system, i.e. bypassing the app store. On many devices, in order to sideload apps you would need to obtain root access on the phone, something that often results in users ‘bricking’ their phone or turning it into a $800 paper weight.

Apps like these are often offered for download masquerading as a media player, live TV, or data recovery apps.

Android Accessibility service

In order to use ATS, the Trojan needs access to the Android Accessibility Service. So once SharkBot is installed, the malware asks the users to grant it access to the Android Accessibility service, a feature designed to help physically impaired users interact with their devices by automating certain tasks. SharkBot uses the access to Accessibility Services to perform tasks such as:

  • Overlay attacks against multiple applications to steal login credentials and credit card information. Overlay attacks allow the threat actor to show fake benign pop-ups over dangerous ones. This allows them to deceive a victim user into clicking “through” them, performing a specific action (such as accepting a permission)
  • Intercept and/or hide SMS messages. This feature is mostly used by threat actors to get the MFA sent by the bank via text messages
  • Keylogging, for example to record and send typed passwords to the attacker
  • Obtain full remote control of an Android device
  • Bypass Android’s doze component and stay connected to the C2 servers

Once the malicious app has been installed, no icon is displayed on the device and SharkBot is able to get all the permissions needed thanks to the enabled Accessibility Services. This is done by clicking instantly on the popup shown to the user.

Targets

Analysis of the samples revealed 22 different targets, including international banks from the UK and Italy and five different cryptocurrency services. So far, infections have been found in the UK, Italy, and the United States. As the app appeared to be in the development stage, the number of targets is likely to grow over time.

Detection

SharkBot uses different anti-analysis and detection techniques, in particular:

  • Obfuscation to slow down the static analysis and “hide” all the commands and important information used by the malware
  • Anti-emulator. When the malicious application is installed on the device, it checks if the device is an emulator or a real phone
  • Modular in that it uses an external ATS module. Once installed, the malware downloads an additional module from the C2. The external module is a “.jar” file that contains all the functionality used to perform the ATS attacks. So this functionality can not be found when analyzing the apk
  • Hide the icon of the app from the device screen
  • Anti-delete. Like other malware, SharkBot uses the Accessibility Services to prevent the user from uninstalling the malicious application from in Settings
  • Encrypted communication. All the communication between the malware and C2 are encrypted and encoded with Base64. In addition to this, SharkBot uses a Domain Generator Algorithm (DGA).

Malwarebytes detects SharkBot as Android/Trojan.BankBot.SHRK.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.