SharkBot is a banking trojan that primarily targets money transfers, attempting to exploit the Automatic Transfer Systems (ATS technique that bypasses a bank’s multi-factor authentication mechanisms.) When a user tries to transfer funds to another bank account, the malware changes the International Bank Account Number (IBAN entered into the attacker’s account.)
Discovered in 2021, SharkBot shows no icon after installation on the users’ app launcher. After abusing a device’s accessibility services, the trojan performs actions under the victim’s identity. The trojan can also employ overlay attacks to steal credentials and credit card details.
In addition to more common tactics like keylogging and hiding the app icon from the user’s app launcher, SharkBot has employed several more novel capabilities: Anti-analysis techniques, including emulator detection, and using a domain generation algorithm for its network communication. The fact that the SharkBot trojan was written from scratch also helps it evade detection.
- An anti-delete feature that keeps victims from uninstalling the app.
- An ability to delete other apps on the victim’s devices based on instructions from a command-and-control server.
- The ability to intercept legitimate banking communications sent via SMS.
- The use of encryption to hide communications with the command-and-control server.
Threats Posed by SharkBot to Mobile Banking Apps
- Data Theft: SharkBot is designed to steal sensitive information from the user’s device. This theft includes login credentials for banking apps, credit card information, and personal identification details.
- Keylogging: The trojan can capture keystrokes, recording everything the user types on their device. This information includes usernames, passwords, PINs, and other sensitive data entered into mobile banking apps.
- SMS Intercept: SharkBot can intercept SMS messages on the infected device. Intercepted messages could include one-time passwords (OTPs) and transaction verification codes sent by mobile banking apps, potentially allowing attackers to bypass two-factor authentication.
- Overlay Attacks: SharkBot can employ overlay attacks, displaying fake login screens that mimic legitimate mobile banking apps. Users may unwittingly enter their credentials into these deceptive interfaces, which are then captured by the trojan.
- Device Information Theft: SharkBot can gather device-specific information, such as device identifiers, phone numbers, and operating system details. This information may be used for tracking and profiling users.
- Remote Control: The trojan connects to the attackers’ command and control (C2) server. This connection enables remote control of the infected device, allowing attackers to execute various commands, including unauthorized transactions.
Mitigating the Threat of SharkBot
To protect your mobile banking app and its users from the SharkBot banking trojan and similar threats, consider implementing the following security measures:
- Regular Updates: Keep your mobile banking app and its dependencies up-to-date with the latest security patches and enhancements to address known vulnerabilities.
- User Education: Educate users about the importance of downloading the official app from trusted sources, avoiding suspicious links or downloads, and being cautious with app permissions.
- Multi-factor Authentication (MFA): Encourage users to enable MFA for their accounts to add an extra layer of security.
- Real-time Monitoring: Implement real-time monitoring to detect and respond to suspicious activities within your app and network traffic.
- Secure Coding: Follow secure coding practices to prevent vulnerabilities in your app’s code, including input validation, data encryption, and secure API communication.
- Third-party Library Review: Carefully review and vet third-party libraries or components used in your app for potential security risks.
- Collaborate with Security Experts: Work with cybersecurity experts to conduct security assessments, code reviews, and penetration testing to identify and address your app’s security weaknesses.
- Incident Response Plan: Develop an incident response plan to respond to security incidents or breaches effectively.
By taking these precautions, you can help safeguard your mobile banking app and protect your users from the threats posed by the SharkBot banking trojan and other evolving malware.
Learn More about Banking Trojan Families
SharkBot is one of the principal families of banking trojans threatening mobile banking and financial apps. Learn more about other prominent banking trojan families:
- BianLian
- Cabassous
- Coper
- EventBot
- ExobotCompact.D
- Octo
- FluBot
- Medusa Trojan
- Teabot
- Xenomorph
- Zbot
- Svpeng
- Marcher
- Anubis
- Ginp
- Cerberus Trojan
- BankBot
- Emotet