'SharkBot' Android malware targeting banks in Europe

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Security researchers have discovered a new Android banking trojan capable of hijacking users’ smartphones and emptying out e-banking and cryptocurrency accounts.

Named SharkBot, after one of the domains used for its command and control servers, the malware has been actively distributed since late October 2021, when it was first spotted by mobile security firms Cleafy and ThreatFabric.

“At the time of writing, we didn’t notice any samples on Google’s official marketplace,” Cleafy researchers said in a report on Friday.

Instead, SharkBot creators appear to rely on tricking users into downloading and manually installing (side-loading) the apps on their devices, a practice that Google has constantly warned against.

Once a malicious SharkBot-infected app is installed, the malware asks the users to grant it access to the Android Accessibility service, a feature designed to help physically impaired users to interact with their devices by automating certain tasks.

Instead, SharkBot uses these features to mimic screen taps and perform malicious tasks, such as granting itself admin rights, showing fake login screens on the user’s device, collecting keystrokes, intercepting/hiding 2FA SMS messages, and accessing mobile banking and cryptocurrency apps to transfer funds.

For now, SharkBot only comes with modules that allow it to show fake login screens and interact with the apps of 22 banks based in Italy and the UK, along with five cryptocurrency applications.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top