Dubbed as SharkBot, a new banking trojan was recently discovered to evade multi-factor authentications via Automatic Transfer System (ATS) system abuse. The newly found malware is also reported not to have belonged to any familiar malware family.
Additionally, SharkBot is a malware traced in cyberattacks determined to steal funds from vulnerable handsets running on the Android operating system. Infections of the new banking trojan are reported from countries in the UK, the US, and Italy. Researchers believe that SharkBot is still in its early development stages and is likely a private botnet.
The SharkBot banking trojan is a modular malware that belongs to the future of mobile malware that can execute attacks by abusing the ATS system.
Threat actors can manipulate the ATS system by letting them fill in the fields of an infected Android device automatically with minimal human intervention. SharkBot is also compared with the Gustuff banking trojan. Both malware has similarities in the autofill service that can facilitate fraudulent financial transactions on legitimate banking applications in infected Android devices. It is a general trend in developing malware and an enhancement from older hacking techniques on mobile phones being exploited to phishing campaigns.
Moreover, SharkBot likely utilises the technique to bypass behavioural analytics, MFA, and biometric checks because the technique does not need a new device to be enrolled. But first, the malware must initially compromise Android Accessibility Services to utilise the technique.
The banking trojan will quickly request accessibility permissions once executed on an Android device. Victims will be spammed with access requests by the malware until it is granted. There will be no installation icon that is displayed on the device once permission is granted. The malware will quietly perform its standard window overlay attacks and begin to steal the banking credentials and information of the victim. It will conduct its attack based on the ATS system abuse. Furthermore, it can key log and intercept and hide incoming text messages on the device.
Experts also see possibilities that the banking trojan is capable of performing activities on behalf of the victim. The malware targets international banking and cryptocurrency services.
Nonetheless, antivirus solutions have rarely detected the banking trojan. Experts conclude that mobile malware attacks are becoming more active and enhanced as they continuously find new ways to perform attacks.
