It turns out the ocean isn’t the only place you need to watch out for sharks.
First found in October 2021, SharkBot is a banking trojan that can bypass multi-factor authentication mechanisms to steal account credentials from android mobile devices. It then steals funds from the user’s online banking and crypto currency accounts.
It may not be able to smell blood in the water, but it can sniff out vulnerable information.
SharkBot works by performing unauthorized transactions via Automatic Transfer Systems (ATS). It creates realistic copies of banking input forms, and then, after the unsuspecting user has filled in the necessary data, they send the compromised data to a malicious server.
Most recently, SharkBot was netted by Google Play, when they removed six different anti-virus apps downloading and installing malware on the phones of unsuspecting patrons who were, ironically, just trying to protect themselves from viruses and theft. The six apps were downloaded at least 15,000 times by users in Italy and the UK before their removal.
A different species of predator.
While Android specific malware isn’t new, there are a few unique features of Sharkbot that sets it apart from other trojans.
First, it has a geofencing feature allowing it to target users based on their geographic area. Most recently, UK and Italian users were targeted, but users from China, Russia, Ukraine, India, Romania, and Belarus were ignored.
SharkBot also uses a Domain Generated Algorithm (DGA), which is unusual in Android focused malware. Using DGA, SharkBot generates seven domains for every hard-coded seed. Researchers found eight different combinations of seed/algorithm, providing 56 domains per week. SharkBot also uses over 22 commands on infected androids, including requesting permission to send SMS messages, uninstalling other applications, sending the device’s contact list to a server, and even imitating the user’s screen swipe.
In pursuit of calmer waters.
Only time will tell what the full costs of this Google Play malware are. While Google made significant strides in reducing malware and other malicious apps on Google Play, this most recent case with SharkBot shows that hackers are just getting better at fishing out information.
SharkBot is a great reminder that ultimately we’re all responsible for our own cybersecurity, and that it’s up to users to research apps (even from trusted brands) before downloading them. Practice safe cyber hygiene so you’re not vulnerable in shark-infested waters!
To learn more about TCecure’s full suite of cybersecurity prevention and protection, click here or contact us today: info@tcecure.com.