During a recent partner mobile malware scan, Allure Security identified a rogue mobile Android app infected with the SharkBot mobile banking trojan. Though SharkBot is several years old, this discovery confirms that the malware is still in circulation and is a threat to the brand integrity of financial institutions.
What is SharkBot?
SharkBot is an Android mobile banking malware originally discovered by the Cleafy Threat Intelligence Team in October 2021. The goal of the Trojan is to initiate money transfers from compromised devices to accounts owned by the threat actor. It accomplishes this through a combination of keyloggers, manipulating the auto-reply feature for SMS messages, and abusing accessibility services.
See the “How SharkBot Works” section for more details.
How is it Delivered?
Where Will Users Encounter SharkBot?
SharkBot distributes itself in two ways: through an infected application or by sending links from compromised devices.
When SharkBot resurfaced in 2022, it was distributed on the Google Play Store through anti-virus and basic utility apps, including:
- Live Net TV
- UltData_Recovery
- Media Player HD
This strategy allows the fraudster to take advantage of basic SEO terms like “Media Player” and lure users into downloading their application. Some may even use paid ads on these search terms to give their malicious app top placement on search pages.
Third-Party Application Stores
Our brand protection AI identified a rogue mobile app on a third-party app store. The rogue app was a counterfeit application mimicking the official banking app of a credit union with $3B in assets. The targeted organization investigated further and confirmed that it contained SharkBot.
Users seeking the official app of their financial institution may unknowingly download the tainted mobile app repackaged with the malware. Once a user downloads the tampered app and grants it permissions, the malware executes its scam. This delivery technique demonstrates that fraudsters are using SharkBot-infested apps in targeted campaigns against members of credit unions or customers of financial institutions.
SharkBot Spreads Quickly
SharkBot also leverages the user’s device to spread by manipulating the auto-reply feature built into Android devices. Auto-reply automatically sends predefined responses to SMS text messages, much like an out-of-office setting on an email application. SharkBot uses this feature to send text messages with links to a SharkBot-infested application to the phone’s entire contact list.
How SharkBot Works
SharkBot initiates money transfers from the user’s account to an account owned by the threat actor. Unlike ransomware which locks a device’s data and requires the user to initiate a payment, SharkBot can operate entirely in the background, bypass two-factor authentication and multi-factor authentication security controls, and initiate the money transfers without alerting the device owner.
To do this, SharkBot uses a combination of techniques common in other forms of malware, including:
- Remote Control: Applications housing SharkBot have been known to repeatedly request access to Accessibility features until the user accepts the request. Once accepted, this enables SharkBot to gain full remote control of the device by passing control to a command-and-control (C2) server owned by the fraudster. From there, the fraudster uses their remote control to initiate unauthorized money transfers.
- Keylogging: With control of accessibility features, SharkBot sends the accessibility events log to the C2 server. The events log, among other things, records keystrokes, button presses, and text field changes. With this information, the fraudster can identify passwords, login credentials, account numbers, routing numbers, and similar information necessary to access the legitimate banking app and initiate the money transfer.
- Overlay Attacks: SharkBot can also steal login credentials using overlay attacks. When the command and control server identifies that a targeted app, such as a banking app, is opened, it displays a web view of a fake login screen. The user unknowingly enters their login credentials, and SharkBot takes note.
- SMS Interception: Two-factor authentication and multi-factor authentication are two common security strategies for protecting mobile banking apps. By intercepting SMS messages received by the device, the fraudster can bypass these security checks. Many two-factor authentication challenges ask the user to input a one-time passcode (OTP) delivered via SMS text message. Once SharkBot is active within a device, it intercepts these text messages and reroutes them to the command-and-control server while suppressing the notification the user would normally receive. In this way, the fraudster can activate a banking app, pass its authentication challenge, and transfer funds without the user being alerted.
Why SharkBot is Unique
SharkBot is distinct from other forms of mobile malware because it takes advantage of a more sophisticated attack technique called an “Automatic Transfer System” (ATS). SharkBot is not unique in its use of an ATS, but it does mark it as part of a new generation of mobile malware. ATS fraud involves automating the alteration of a transaction initiated by a legitimate user to change the receiving account number to an account controlled by the attacker.
While related types of mobile app fraud enabled by malware allow fraudsters to manipulate transactions manually, the ATS technique automates this process. It enables SharkBot to fill in form fields and execute the transfer independently. This enables a fraud ring to scale its operation and complete more money transfers without human intervention.
SharkBot Evasion Techniques
SharkBot mobile banking Trojans use evasion techniques to avoid detection by malware analysis and fraud detection tools.
Communications between the malware and the command and control server are all encrypted.
Once the malicious application is installed on the device, it uses Emulator Detection to determine if the device is a real phone or an emulator. This enables it to avoid analysis by threat researchers if executed in a sandbox environment.
The code necessary to execute the Automatic Transfer System is not housed within the rogue or malicious application. Instead, SharkBot downloads the module from the command and control server through a “.jar” file.
SharkBot hides the icon of the malicious app within the device. This conceals the delivery method from the user.
SharkBot in its first version was written manually rather than relying on existing strings of code used in other malware. This helps SharkBot evade analysis by cybersecurity tools looking to identify known snippets of code found in other malware. SharkBot was first discovered in 2021, and as time goes on, this aspect will become less and less effective at evading detection as cybersecurity tools learn to recognize SharkBot.
Anatomy of the Attack: Step-by-Step
How to Stop SharkBot and Protect Your Brand
SharkBot mobile banking trojans present an interesting challenge for cybersecurity professionals. Its evasion techniques conceal the threat from the user, so they are unaware the attack is occurring. The best way to stop SharkBot is to prevent it from taking root in a device in the first place.
When SharkBot was discovered in a rogue mobile app mimicking the banking app of one of our partners, it wasn’t SharkBot itself that we found. Instead, through our Mobile Application Protection Services, our scans uncovered the rogue mobile app. One way to prevent the delivery of SharkBot to your banking customers or credit union members is to monitor mobile app stores for unauthorized versions of your mobile app. By maintaining brand integrity and executing timely takedowns of spoofs and look-alike apps of your brand, you can reduce the risk of mobile banking Trojans reaching your customers.
Related Articles
-
Diamond Bank Addresses Spoof WebsitesDiamond Bank is a community bank with 14 branches and thousands of customers...
-
Credit Union Supercharges Takedown CampaignsDo-It-Yourself Takedown Struggles A credit union based in the southern United States supports...
-
Fraudsters Steer Clear of Federal Credit UnionSleepless Nights and Overburdened IT Teams A federal credit union managing $3.06 billion...
-
SharkBot Trojan Embedded in Mobile Banking ApplicationDuring a recent partner mobile malware scan, Allure Security identified a rogue mobile...
-
How to Remove Spoof Mobile ApplicationsTo remove rogue mobile applications (an unauthorized version of your mobile app) from...
-
Zelle Scams: How to Protect Your Customers and BrandsSince its launch, the peer-to-peer payment app Zelle has gained immense popularity. In...