SharkBot, New Financial Trojan, Making Waves in Europe and US

SharkBot, New Financial Trojan, Making Waves in Europe and US

A new Android banking Trojan has been identified that can bypass multi-factor authentication measures through ATS. Cleafy cybersecurity researchers discovered the malware around the end of October, and it does not appear to belong to any recognized family.

The Android virus, now known as SharkBot, has been linked to assaults to steal cash from susceptible devices running the Google Android operating system. Till now, infections have been discovered in the United Kingdom, Italy, and the United States.

SharkBot is a modular virus that, according to the researchers, is part of the future generation of mobile malware that may carry out assaults via the Automatic Transfer System (ATS).

ATS enables attackers to fill up fields on an infected device without the need for human input. The autofill service, like the Gustuff banking Trojan, is designed to allow illicit money transfers using legal financial service applications, which is a general trend in malware development and a shift away from earlier mobile theft strategies like phishing sites.

SharkBot may use this strategy to avoid behavioral analytics, biometric checks, and multi-factor authentication (MFA), according to Cleafy, because no new device would need to be enrolled. However, the virus must first infiltrate Android Accessibility Services to do so.

When SharkBot is launched on an Android device, it will instantly seek accessibility permissions and bombard the victim with pop-ups until they are given. There is no installation symbol shown.

According to experts, the banking Trojan may even make “gestures” on behalf of the victim. Apps and cryptocurrency services supplied by multinational banks are being targeted.

The fact that no samples have been discovered in the official Android software repository, the Google Play Store, is a bright spot. Instead, the virus must be loaded from an external source through side-loading, which the vendor warns is problematic since it allows rogue applications to bypass Google Play security measures.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.