'SharkBot' Android malware targeting banks in Europe

silversurfer

Level 83
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,313
Security researchers have discovered a new Android banking trojan capable of hijacking users’ smartphones and emptying out e-banking and cryptocurrency accounts.

Named SharkBot, after one of the domains used for its command and control servers, the malware has been actively distributed since late October 2021, when it was first spotted by mobile security firms Cleafy and ThreatFabric.

“At the time of writing, we didn’t notice any samples on Google’s official marketplace,” Cleafy researchers said in a report on Friday.

Instead, SharkBot creators appear to rely on tricking users into downloading and manually installing (side-loading) the apps on their devices, a practice that Google has constantly warned against.

Once a malicious SharkBot-infected app is installed, the malware asks the users to grant it access to the Android Accessibility service, a feature designed to help physically impaired users to interact with their devices by automating certain tasks.

Instead, SharkBot uses these features to mimic screen taps and perform malicious tasks, such as granting itself admin rights, showing fake login screens on the user’s device, collecting keystrokes, intercepting/hiding 2FA SMS messages, and accessing mobile banking and cryptocurrency apps to transfer funds.

For now, SharkBot only comes with modules that allow it to show fake login screens and interact with the apps of 22 banks based in Italy and the UK, along with five cryptocurrency applications.