With malware like Flubot the transfer of funds requires human interaction to complete the theft. SharkBot has removed this need and can autofill the data needed and even simulate the clicks and touches a user would take to perform the transfer. In addition to allowing the automated theft of money, it can also allow the malware to download and install additional payloads. It is an evolution in the way banking malware operates and shows that threat actors are focusing more effort on the mobile arena. When you combine this with the often-mentioned lack of real mobile anti-malware it makes mobile devices a target rich environment.
But wait, there’s more! It seems that SharkBot also abuses the Direct Reply feature in Android to send a text message to others with a link to download the malicious app. This new method of spreading is new and abuses people’s trust in their friends’ recommendations for apps. It is a clever way to spread. SharkBots use of the Automatic Transfer system (which also can bypass MFA) is not without a backup system as there are also functions which allot the attackers to log keystrokes, overlays that simulate the login page of detected banking apps, and intercepting SMS messages.
Although SharkBot is a new generation of banking malware, it does rely on a familiar feature to perform the tasks it wants, the Android Accessibility Services feature. Once a targeted user allows permissions to these services, they are basically giving over control of their phone. This excessive permission is something that we have talked about, and we have always advised users not to grant this to applications that should not have it (like a game). To get around this potential issue, the developers of SharkBot have decided to make their malicious apps look like Antimalware Apps. This shift is a dangerous one as many anti-malware apps do ask for access to the Accessibility Services including Microsoft Defender for Endpoint. This will make it much harder for end users to decern a malicious app from a real one.
The onus for preventing this type of attack falls back on Google to either limit or protect the Accessibility Services function better or find a better way to prevent these apps from getting into the Play Store in the first place. The fact that SharkBot has been downloaded around 57,000 times since it first hit the Play Store in October 2021 shows how effective these campaigns are. To prevent them end users should take extra steps to confirm the application they are downloading is legitimate. Corporations that are allowing BYOD mobile devices should set up policies and agreements that allow the installation of mobile antimalware on their employee’s devices (the technology here is much more mature) for the purpose of preventing malware on those devices.
Happy Mobile Banking