Sharkbot: the latest banking trojan

A new banking trojan has emerged that exploits Accessibility Services on Android phones; the researchers who discovered it have dubbed it Sharkbot. 

What characterises this trojan? 

Sharkbot follows the recent trend of the more advanced trojans in that it uses a more hands-on approach rather than a reliance on phishing attacks.  

This trojan uses an Automatic Transfer System (ATS) to bypass the multi-factor authentication (MFA) and behavioural detection techniques commonplace in banking services today. The main goal is to use this system to initiate money transfers from the compromised device. 

Sharkbot, similar to other banking trojans, enables attackers to steal information such as user credentials, personal information and current balance. However, through the use of ATS, Sharkbot can automate the transfer of funds from an account by using an autofill service that automatically fills in fields. 

In order to utilise ATS, the malware must first compromise Android Accessibility Services. This feature is designed to help physically impaired users interact with their devices by automating certain tasks. 

Cleafy, the researchers who discovered this trojan in late October, say that it still appears to be in its early stages of development. It does not appear to be available via the Google Play Store and must instead be loaded from an external source, a practice for which there are security controls in place to warn users against and help prevent. 

Android Accessibility Services 

Once Sharkbot is loaded onto a device, it will immediately request accessibility permissions – and will spam the user with pop-ups until this is granted. The malware will then exploit this feature to perform fraudulent activity.  

• Overlay attacks – these allow the attacker to show fake pop-ups over actual ones that deceive the victim into clicking ‘through’ them. This performs the action of the pop-up below and may be used to accept a permission, for example. 
• Keylogging – such as to record typed credentials including passwords 
• Intercept and hide texts – a feature mostly used to intercept the one-time passcodes used by banks for MFA 
• Obtaining remote control of a device 
• Prevent the device from disconnecting to the threat actor’s servers by bypassing sleep components 
• Enable all additional permissions to be granted automatically 

Anti-detection 

So far, infections have been found in the UK, US and Italy. Sharkbot targets mobile banking users and has been found to have targeted 22 international banks and five cryptocurrency apps. It has a very low detection rate by antivirus software as it uses multiple anti-analysis techniques. These include: 

• Obfuscation – slowing down static analysis and hiding commands and important information 
• External ATS module – this uses a ‘.jar’ file that contain all the ATS functionality – this is separate from the APK so is not found when it is analysed 
• App icon is hidden 
• Anti-emulator feature – this checks if the device is a real phone or an emulator 
• Encrypted communication and Domain Generator Algorithm (DGA) 
• Anti-delete – Accessibility Services are also used to prevent the app from being uninstalled 

"With the discovery of SharkBot we have shown new evidence about how mobile malware [is] quickly finding new ways to perform fraud, trying to bypass behavioral detection countermeasures put in place by multiple banks and financial services during the last years," said Cleafy.  

"Like the evolution of workstation malware occurred in the past years, in the mobile field, we are seeing a rapid evolution towards more sophisticated patterns like ATS attacks."