A new Android banking trojan named SharkBot is makings its presence felt
Image: The Record, David Clode
Catalin Cimpanu November 15, 2021

A new Android banking trojan named SharkBot is makings its presence felt

Catalin Cimpanu

November 15, 2021

A new Android banking trojan named SharkBot is makings its presence felt

  • At the end of October, security firms Cleafy and ThreatFabric have discovered a new Android banking trojan.
  • Named SharkBot, the malware targets the mobile users of banks in Italy and the UK.
  • The malware can automate the theft of user banking funds, but it can also target five cryptocurrency apps.

Security researchers have discovered a new Android banking trojan capable of hijacking users’ smartphones and emptying out e-banking and cryptocurrency accounts.

Named SharkBot, after one of the domains used for its command and control servers, the malware has been actively distributed since late October 2021, when it was first spotted by mobile security firms Cleafy and ThreatFabric.

“At the time of writing, we didn’t notice any samples on Google’s official marketplace,” Cleafy researchers said in a report on Friday.

Instead, SharkBot creators appear to rely on tricking users into downloading and manually installing (side-loading) the apps on their devices, a practice that Google has constantly warned against.

Once a malicious SharkBot-infected app is installed, the malware asks the users to grant it access to the Android Accessibility service, a feature designed to help physically impaired users to interact with their devices by automating certain tasks.

Instead, SharkBot uses these features to mimic screen taps and perform malicious tasks, such as granting itself admin rights, showing fake login screens on the user’s device, collecting keystrokes, intercepting/hiding 2FA SMS messages, and accessing mobile banking and cryptocurrency apps to transfer funds.

For now, SharkBot only comes with modules that allow it to show fake login screens and interact with the apps of 22 banks based in Italy and the UK, along with five cryptocurrency applications.

SharkBot-cleafy
Image: Cleafy

“We can confirm that SharkBot is indeed on the early stage of development,” Cengiz Han Sahin, founder and CEO of ThreatFabric, told The Record earlier today, echoing the conclusion of the Cleafy team.

Sahin says SharkBot’s usage of an automatic transfer system (ATS) to automate the process of stealing funds from users’ accounts is in line with a general trend observed in other Android banking trojans over the past two years, such as Alien, EventBot, Medusa, Gustuff, Anatsa, and FluBot.

“In the way the ATS is executed, it makes it a threat to any (banking) app,” Sahin told The Record, suggesting that new modules could be very easily added to expand the trojan’s targeting capabilities.

Other Android malware threats

But SharkBot is not the only Android malware strain discovered in recent weeks. While it’s the most dangerous, other Android malware families have also been discovered.

Among these, we list:

  • A new Android spyware strain named PhoneSpy. Discovered by Zimperium, the malware has primarily targeted South Korean users.
  • A new Android banking trojan named MasterFred. Discovered by Avast, the malware has targeted users of banks in Turkey and Poland and accounts for apps like Netflix, Instagram, and Twitter.
  • A new Android spyware strain named AbstractEmu. Discovered by Lookout, the malware contained a rare component that could root Android devices using five different exploits.
  • On top of that, we also have the daily deluge of Joker-infested apps  that make it on the official Play Store.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.