The prevalence of mobile banking has made smartphones one of the easiest targets among cybercriminals. Now, some researchers found a new Android banking trojan that has been active since at least October.

Diving into details

The malware has been dubbed SharkBot and has targeted mobile banking users in the U.S., the U.K, and Italy. It has targeted 22 international banks in the U.K and Italy and five cryptocurrency apps in the U.S. The malware enables the attackers to take control of victims’ devices and steal funds from cryptocurrency and online banking accounts. Once the trojan is installed, it can exploit Accessibility Services and exfiltrate information such as login credentials, current balance, and personal information, among others. In addition to this, SharkBot has a very low detection rate by antivirus solutions as it executes several anti-analysis techniques.

Why this matters

It impersonates a media player, data recovery apps, or live TV similar to SharkBot’s other counterparts - UBEL and TeaBot. The malware is unique in the sense that it abuses Accessibility Services to conduct Automatic Transfer System (ATS) attacks, allowing the attackers to autofill sensitive details in legitimate apps and initiate fund transfer.

Some banking trojan stats

  • According to Nokia’s 2021 Threat Intelligence Report, the number of new banking trojans surged by 80% year-on-year in H1 2021.
  • Android devices are more often targeted as compared to their iOS counterparts. Android devices account for 50% of all mobile device malware infections.
  • While users are repeatedly recommended not to download apps from third-party sources, they accounted for 75 billion downloads.

The bottom line

Cybercriminals are evolving and are always on the lookout for new opportunities. This trend is expected to continue in the future and organizations need better online practices and endpoint security. SharkBot belongs to a new generation of banking trojans as it can conduct ATS attacks. The discovery of this malware indicates that mobile malware authors are finding new ways to conduct fraud.

Cyware Publisher