SharkBot Banking Trojan

Overview

A new banking trojan named ‘SharkBot’ has been seen targeting Android devices.

The malware exploits the Accessibility Services feature on a device, and uses this to grant the threat actor control over legitimate banking apps installed on the phone. This allows the user to auto-fill fields in valid mobile banking apps and carry out money transfers from the compromised devices to a money mule network controlled by the threat actor.

The malware is designed to attack 27 targets — including 22 international banks in Italy and the U.K. and 5 cryptocurrency apps in the U.S. It appears to be in the early stages of development, with no overlaps found to that of any known families.

Impact

SharkBot is used to initiate money transfers from compromised devices, bypassing existing security controls.

The attackers can also acquire sensitive information from apps such as credentials, personal information, current balance, etc.

Affected Products

– Android Devices

No samples of the malware have been detected on the official Google Play Store. The malicious apps are thought to be installed on users’ devices either via sideloading or social engineering schemes.

Mitigations

The malware is disguised as a media player, live TV, and data recovery applications with names such as:
– Live Net TV
– UltData_Recovery
– Media Plater HD

Be aware of these applications, especially those that are NOT on reputable sources such as Google Play Store. Make sure you are not downloading applications like these on a random and potentially dangerous unknown platform.

Indicators of Compromise

App Name
Media Player HD

Package Name
com.pycdvgljmfgh3hgp8jo72giu.omflsx1q2g

MD5
f7dfd4eb1b1c6ba338d56761b3975618

C2
sharkedtest1[.]xyz
sharkedtestuk[.]xyz

Threat Landscape

SharkBot uses similar techniques to other banking trojans such as UBEL and TeaBot.

UBEL – This Android malware was observed in January 2021 exploiting accessibility services to steal from European banking applications. The codebase was then apparently forked and used in a separate botnet called OSCORP seen as part of a campaign in May.

TeaBot – Another Android banking trojan that stole users credentials and intercepted SMS messages in order to commit financial fraud against banks in Spain, Germany, Italy, Belgium, and the Netherlands.

Although SharkBot uses a new codebase, it continues the trend of banking trojans abusing Accessibility Services.

MITRE Methodologies

– TA0006 – Credential Access
– T1409 – Access Stored Application Data
– T1411 – Input Prompt
– T1417 – Input Capture
– T1582 – SMS Control
– T1517 – Access Notifications

Further Information

1.  SharkBot a new generation of Android Trojans is targeting banks in Europe
2. The Hacker News – Italy CERT Warns of New Credential Stealing Android Malware
3. New Malware ‘Sharkbot’ Attacking Banking Apps On Android Phones
4. The Rage of Android Banking Trojans
5. The Hacker News – Experts warn of a new Android banking trojan stealing users’ credentials