Researchers at Cleafy had recently (Oct 2021) identified a new Android trojan that is capable of automatically initiating money transfers from banking apps installed on a compromised Android device. Cleafy has named this malware, SharkBot. SharkBot was observed to be using a technique know as Automatic Transfer System (ATS) which is a sophisticated technique for bypassing multi-factor authentication controls implemented in banking apps (e.g. biometrics, OTP).
Once SharkBot gets successfully installed on a victim’s device, it takes advantage of Android’s Accessibility Services feature. This feature was originally introduced by Google to make the device more user friendly for people with visual, auditory, motor or cognitive challenges. But malware like SharkBot has started to exploit this feature for nefarious purposes. One example is an overlay attack wherein the malware places itself transparenlty over another app and the user is lead to believe that he/she is actually using the underlying app. This technique is used to capture credentials or OTPs as the user thinks that he/she is entering those details into the underlying app.
Similarly, there are other such techniques that malware employ today. For example, for visually challenged users, Accessibility Services allows the ability to intercept an incoming text message and read it aloud to the user. This same capability is exploited by SharkBot to intercept and read incoming OTP messages. Moreover, since the malware is installed on the users’ devices and transactions are initiated from those devices, SharkBot is also able to bypass any device restrictions that banks may have imposed.
Attackers create genuine looking apps with common names (e.g., media player, live TV, data recovery, etc) and package them with malware like SharkBot. Then they place them on Google Play store for users to download. As they’re submitted under common names, any unsuspecting user who downloads this app thinking its genuine is also infecting his / her device with SharkBot or other malware.
Therefore, it is very important to ensure that you’re only installing apps from trusted / knowns developers from the Play Store or App Store. One way to check is to review the Developer page and also check which other apps that developer had created.
Being vigilant and being aware are the only tools that can help us protect ourselves against increasingly sophisticated malware like SharkBot. At Xybr, we have created multiple games that raise awareness about such risks and teach users techniques for identifying genuine apps.
Here’s the link to the complete report on SharkBot from Cleafy Labs.
Xybrware LLP 
Leave a Reply