Researchers have discovered a new Android banking trojan capable of hijacking users’ smartphones and emptying out e-banking and cryptocurrency accounts.Dubbed SharkBot, after one of the domains used for its C2C.

SharkBot creators appear to rely on tricking users into downloading and manually installing the apps on their devices, a practice that Google has constantly warned against.

Advertisements

Once after the malicious infected app installed, the malware asks the users to grant it access to the Android Accessibility service, a feature designed to help physically impaired users to interact with their devices by automating certain tasks.

SharkBot uses these features to mimic screen taps and perform malicious tasks, such as granting itself admin rights, showing fake login screens on the user’s device, collecting keystrokes, intercepting, hiding 2FA SMS messages, and accessing mobile banking and cryptocurrency apps to transfer funds.

SharkBot only comes with modules that allow it to show fake login screens and interact with the apps of 22 banks based in Italy and the UK, along with five cryptocurrency applications.

SharkBot’s usage of an automatic transfer system (ATS) to automate the process of stealing funds from users’ accounts is in line with a general trend observed in other Android banking trojans over the past two years, such as Alien, EventBot, Medusa, Gustuff, Anatsa, and FluBot.

The way the ATS is executed, it makes it a threat to any financial banking app. The new modules could be very easily added to expand the trojan’s targeting capabilities

Advertisements

Indicators of Compromise

App Name – Media Player HD
Package Name –
com.pycdvgljmfgh3hgp8jo72giu.omflsx1q2g
MD5 – f7dfd4eb1b1c6ba338d56761b3975618
C2 – Sharkedtest1[.]xyz, sharkedtestuk[.]xyz