Milan, November 18, 2021 - At the end of October 2021, the Cleafy Threat Intelligence team discovered a new Android banking trojan targeting banks and cryptocurrency exchanges inItaly, the UK, and the US. Since there were no references to any known families, Cleafy’s team decided to dub this new family SharkBot.
The main goal of SharkBot is to initiate money transfers from the compromised devices via the Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (such as SCA). These mechanisms are used to enforce users' identity verification and authentication and are usually combined with behavioral detection techniques to identify suspicious money transfers.
“We have observed that once SharkBot is successfully installed in the victim's device, attackers can obtain sensitive banking information through the abuse of Accessibility Services, such as credentials and personal information, but also to perform gestures on the infected device.” said Federico Valentini, Head of Threat Intelligence and Incident Response at Cleafy. “With the discovery of SharkBot, we realized that a new generation of mobile attacks is quickly spreading in the online world, raising the level of risk and uncertainty for businesses and their customers.”
SharkBot implements overlay attacks to steal login credentials and credit card information and it also has the capabilities to intercept legitimate banking communications sent through SMS. So far, it appears to have a very low detection rate by antivirus solutions.
In the past few weeks, Cleafy’s Threat Intelligence team has worked hard to analyze and gather some deep insights on this new malware, which are collected in the technical report “SharkBot: a new generation of Android Trojans is targeting banks in Europe” published on November 11th on the company’s website. In this report, the team compiled all the relevant information to help industry professionals better understand how the malware works and how it is possible to prevent it from attacking the banking systems.
As of today, the report has been cited and shared by several industry magazines, such as The Hacker News, CyberSecurity360, ZD NET Security, The Record by Recorded Future, BankInfo Security, and TECH Times. As of today, multiple indicators suggest that SharkBot could be at its early stages of development.
To learn more visit www.cleafy.com/labs.
