[TheRecord] A new Android banking trojan named SharkBot is makings its presence felt

Security researchers have discovered a new Android banking trojan capable of hijacking users’ smartphones and emptying out e-banking and cryptocurrency accounts.

Named SharkBot, after one of the domains used for its command and control servers, the malware has been actively distributed since late October 2021, when it was first spotted by mobile security firms Cleafy and ThreatFabric.

“At the time of writing, we didn’t notice any samples on Google’s official marketplace,” Cleafy researchers said in a report on Friday.

Instead, SharkBot creators appear to rely on tricking users into downloading and manually installing (side-loading) the apps on their devices, a practice that Google has constantly warned against.

Once a malicious SharkBot-infected app is installed, the malware asks the users to grant it access to the Android Accessibility service, a feature designed to help physically impaired users to interact with their devices by automating certain tasks.

Instead, SharkBot uses these features to mimic screen taps and perform malicious tasks, such as granting itself admin rights, showing fake login screens on the user’s device, collecting keystrokes, intercepting/hiding 2FA SMS messages, and accessing mobile banking and cryptocurrency apps to transfer funds.

For now, SharkBot only comes with modules that allow it to show fake login screens and interact with the apps of 22 banks based in Italy and the UK, along with five cryptocurrency applications.

Image: Cleafy

“We can confirm that SharkBot is indeed on the early stage of development,” Cengiz Han Sahin, founder and CEO of ThreatFabric, told The Record earlier today, echoing the conclusion of the Cleafy team.

Sahin says SharkBot’s usage of an automatic transfer system (ATS) to automate the process of stealing funds from users’ accounts is in line with a general trend observed in other Android banking trojans over the past two years, such as Alien, EventBot, Medusa, Gustuff, Anatsa, and FluBot.

“In the way the ATS is executed, it makes it a threat to any (banking) app,” Sahin told The Record, suggesting that new modules could be very easily added to expand the trojan’s targeting capabilities.

Other Android malware threats

But SharkBot is not the only Android malware strain discovered in recent weeks. While it’s the most dangerous, other Android malware families have also been discovered.

Among these, we list:

A new Android spyware strain named PhoneSpy. Discovered by Zimperium, the malware has primarily targeted South Korean users.A new Android banking trojan named MasterFred. Discovered by Avast, the malware has targeted users of banks in Turkey and Poland and accounts for apps like Netflix, Instagram, and Twitter.A new Android spyware strain named AbstractEmu. Discovered by Lookout, the malware contained a rare component that could root Android devices using five different exploits.On top of that, we also have the daily deluge of Joker-infested apps  that make it on the official Play Store.

The post A new Android banking trojan named SharkBot is makings its presence felt appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Siloscape: this new malware targets Windows containers to access Kubernetes clusters

All posts, ZDNet

Researchers say this is the first malware strain they know of that specifically targets Windows containers. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] Chinese Hackers Using Previously Unknown Backdoor

All posts, Security Week

Newly discovered cyber weapon uses elaborate multi-stage infection-chain to make detection and analysis difficult read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ThreatPost] Critical Chrome Browser Bug Under Active Attack

All posts, ThreatPost

Google has patched its Chrome browser, fixing one critical cache issue and a second bug being actively exploited in the wild. Source: Read More (Threatpost)

Read More