Posted on November 17, 2021 at 6:57 PM
Researchers have uncovered a new Android banking Trojan that enables threat actors to steal sensitive banking details. According to the report, hackers can use the Trojan, known as SharkBot, to steal information such as the user’s current balance, credentials, and other personal information.
Threat Actors Are Finding New Ways To Bypass Security
The Trojan is another indication of the level of seriousness hackers have placed when devising attacking methods. It shows that threat actors are quickly finding new ways to bypass behavioral detection measures and carry out fraud. Researchers stated that the SharkBot Trojan is strong enough to bypass multiple countermeasures placed by banks and financial institutions.
Banking Trojans are specifically designed with the aim of harvesting credentials and other vital personal and financial information. However, the SharkBot has more features than just being a banking Trojan. According to the researchers, the Trojan utilizes an Automatic Transfer System (ATS) method that automates the process of stealing users’ funds from their accounts.
The ATS feature enables the threat actors to automatically fill account details from the infected device to facilitate fraudulent money transfers. The trojan makes use of the method to bypass multi-factor authentication (MFA), biometric checks, and behavioral analytics.
The Trojan Needs The Android Accessibility Service
The good news is Sharkbot cannot be installed through Google Play Store. This makes the threat actors’ level of penetration a bit low since they have to convince users to download the app from the app store.
Alternatively, they could tell the users to sideload the app. This is a method where users install an app onto a device by copying the APK installer to the device and installing them manually. Most devices would only allow a user to sideload apps if they provide root access on the phone. In this case, many users would prefer not to install the app rather than risk losing any features on their phone.
However, apps like this are not offered directly for downloading. Rather, they are masqueraded as the data recovery, live TV, or media player app.
Another good thing for users when it comes to the potency of the Trojan is the level of access it requires. The researchers stated that the Trojan requires access to the Android Accessibility Service to use ATS. So as soon as the Trojan is installed, the malware immediately requests permission to the Android Accessibility service. This feature is available for users with physically impaired vision to enable them to automate certain tasks when using their devices.
The Threat Actors Use Overlay Attacks To Deceive Users
Once the permission is granted, SharkBot uses the access to perform certain tasks such as overlay attacks on several applications to steal credit card details and login credentials.
The overlay attacks are designed to deceive the users into believing that a feature in the system needs serious attention or is under threat.
This enables the threat actors to convince the victim to click “through” the benign popups. The Android Accessibility Service also grants the Trojan the ability to bypass Android’s doze component, gain full remote control of an android device, and keylogging abilities.
Once the user clicks on the popup on their screen, access to install the malicious app is unknowingly granted.
Unfortunately, no icon is displayed on the device when the malicious app is successfully installed. This means the app is capable of staying hidden in the system and performing all kinds of activities for a long time without being detected.
According to threat actors who analyzed the malicious samples, the threat actors have over 22 different targets. These include organizations in Italy, the UK, the US, international banks, and five different cryptocurrency services. The researchers say the app may expand its target to other countries and organizations as the app appears to be in its early stages.
It’s also known that SharkBot utilizes different detection methods, which include a modular format, using anti-emulator, as well as obfuscation techniques.
For the anti-emulator strategy, the Trojan checks whether the host device is a real phone or an emulator. But before this process, the malware hides all important information and commands that can display the presence or identity of the Trojan. The obfuscation technique is used to keep the Trojan under the radar as it explores all areas of the device.