A new Android banking trojan has been discovered targeting international banks and cryptocrrency services from the United Kingdom, Italy and the US. Twenty-two instances have been reported so far. The malware, first detected at the end of October 2021, appears to be new and is still being developed. It was discovered by Cleafy, an Italian fraud detection and prevention firm. Cleafy calls it ‘SharkBot’, named after the frequency of the word ‘sharked’ in its binaries.
SharkBot is not found in Google’s official marketplace which means it must be sideloaded by delivering the APK to the device and ensuring it is manually loaded. In a technical analysis of the malware that it poses as a legitimate application using common names and icons. If the attack succeeds and the malware is installed, it immediately attempts to enable Android’s Accessibility Services by delivering fake pop-ups to the victim such as ‘Allow Media Player to have full control of your device.’ If this is successful, SharkBot takes over all the permissions.[1]
Once accepted the malware can enable keylogging (to steal typed credentials), intercept SMS messages (to circumvent MFA), deliver overlay attacks (to steal login credentials and credit card information) and remotely control the device because permissions were granted via the fake pop-up. “Basically the malicious Accessibility Services can read anything a user can read and can recreate any action a user can on the device” says WatchGuard Technologies.
SharkBot also attempts a relatively unique technique known as an Automatic Transfer Systems (ATS) attack. “This technique has been seen recently from other banking trojans, such as Gustuff,” explains Cleafy. “ATS is an advanced attack technique (fairly new on Android) which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices.”
In the past, malware families like ZeuS and SpyEye used Webinject files to modify the websites of targeted organizations such as banks. A Webinject file is basically a text file with JavaScript and HTML code that contains the code the attacker wants to insert into the targeted websites. With ATS, however, attackers have taken things to the next level. Instead of merely passively stealing information, ATSs allow cybercriminals to instantly carry out financial transactions that could deplete users’ bank accounts without their knowledge. No longer needing user intervention to key in user names and passwords, ATSs allow cybercriminals to automatically transfer funds from victims’ accounts to their own ones without leaving traces of their presence.
The ATS functionality is contained in a module downloaded separately from the C2. “Given its modular architecture,” comments Cleafy, “we don't exclude the existence of botnets with other configurations and targets.” The assumption is that ATS is used by SharkBot to bypass the behavioral detection measures used by many financial institutions. If ATS is used on what is a trusted device, a ‘new device enrollment’ phase is not necessary, SMS-based MFA can be bypassed, and behavioral biometrics are not effective.
Although relatively few instances of SharkBot have been discovered in the wild, Cleafy suspects that the SharkBot threat will grow. This is partly because it is new, and apparently still being developed. “The implications of becoming infected with SharkBot could be severe, so it's important,” says Nachreiner, “to avoid being infected altogether.” This is not yet easy. The malware is new and not well detected by existing detection means. Apart from the DGA for its C2s, it also uses anti-analysis techniques including obfuscated strings and emulator detection. The best solution is to avoid side-loading religiously. Without 100% certainty in the authenticity of the application and the validity of its source, the easy button here is: simply do not install it.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://www.securityweek.com/new-%E2%80%98sharkbot%E2%80%99-android-banking-malware-hitting-us-uk-and-italy-targets
Comments