By Roy Urrico
Redwood City, Calif.-based Appdome warned of a dangerous new Android banking Trojan called SharkBot that evades multi-factor authentication and Google Safety Net, misuses accessibility services to change permissions, utilizes overlay attacks to steal data, and auto-populates fields to log into and execute commands in other apps.
Appdome, which provides no-code mobile app security and fraud prevention, learned about the emergence of SharkBot in the U.S. and Europe in October 2021.
Mobile Trojans that attack banking apps are not new. The growing list includes FluBot, in which users receive fraudulent messages or notifications and TeaBot, which can steal victims' SMS messages and credentials. But cybersecurity experts fear SharkBot may herald the beginning of a new mobile malware generation. “It goes further than your typical banking Trojan,” said Jan Sysmans, Appdome’s is Head of Marketing Asia Pacific and Japan, and Product Specialist Mobile Banking Security.
Sysmans, said “In most cases, banking Trojans are aimed at intercepting transactions or faking transactions of the user, either stealing from the account or emptying the account.” However, credit unions or banks with accountholders that get victimized, do not escape with clean hands or their reputations intact. “The consumer is telling the developers that you should take action to prevent these things from happening in the first place.”
A global Appdome consumer survey of more than 10,000 mobile consumers from multiple continents, “How CISOs Can Meet Consumer Expectations of Mobile Security in 2021,” found the duty to protect app use has shifted from the consumer to the app maker with 73% of respondents indicating they would stop using a mobile app if it left them unprotected against attack.
At this year’s annual Money20/20 event, Noname Security, and Alissa Knight, partner at Knight Ink and what she described as a recovering hacker, announced new research, “Scorched Earth: Hacking Bank APIs,” which exposed financial institution vulnerability when she was able to access 55 financial institutions through their APIs, giving her the ability to change customers' PIN codes and transfer funds in and out of customer accounts.
Swimming in Dangerous Trojan Waters
Milan, Italy-based Cleafy Labs’ team of cybersecurity experts, fraud-hunters, data scientists and engineers labeled SharkBot as “a new generation of mobile malware, as it can perform ATS (Automatic Transfer System) attacks inside the infected device.” Once on a device, SharkBot uses the ATS, which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices.
SharkBot uses multiple attack vectors to defraud mobile banking customers:
Avoids Google’s SafetyNet detection.
Intercepts multi-factor authentication text messages.
Abuses Android accessibility services.
Employs overlay attacks to steal account credentials and credit card data.
Auto-populates fields in the mobile banking app.
SharkBot also lets the criminals access all the victim’s personal information, credit card details, and mobile banking apps. With the device in fraudsters’ grip, they can capture or conceal one-time passcodes (OTPs) and other messages and quickly swim away with account contents before detection.
Sysmans noted, SharkBot actually changes the accessibility services to prevent deletion of the app and in many cases leaves the user with one recourse — get a new device.
Another variable making SharkBot dangerous, pointed out Sysmans, is that many developers employ Google’s SafetyNet, which provides a set of services and application programming interfaces (APIs) that help protect an app against malware. “But SharkBot avoids detection by Google SafetyNet.”
Learning about SharkBot
How does Appdome respond to new banking Trojans like SharkBot? “Rather than have a single, defense against every single Trojan that is out there,” Sysmans said, “We looked at what do all these Trojans have in common?” The cybersecurity company discovered banking Trojans all abuse the Android accessibility service, which is a key part of helping the elderly and disabled use their smartphones. The accessibility function can also perform user actions and overlay content on other apps.
The accessibility service is for developers who want to enhance their apps, but it also opens up the door for malicious hackers. For example, suggested Sysmans, the same feature that reads text out to the user can also scan the text and send it to the malware developer.
Sysmans added, “By granting specific permissions for making it easier for people to use a mobile app, the hackers have found ways of taking all or certain services (and) granting themselves a lot more permission. Effectively having control over the operating system and then being able to affect everything.”
Google made changes to its Android accessibility service API services right after the new (SharkBot) Trojan showed up. However, although it made it more difficult for hackers for a time, Sysmans noted the fraudsters have already bypassed those restrictions that Google put in place.
Hackers also utilize overlay attacks, which puts a fake screen on top of the real screen; and droppers, which is a kind of Trojan designed to install dormant malware to a target system that fraudsters can activate at will.
Protecting Against SharkBot and Other Banking Trojans
Sysmans explained an Appdome-secured app protects against all types of mobile banking Trojans, and other malicious programs, installed on a consumer device via click-bait and social engineering.
“When an end user clicks on the (compromised) app, they get a notification that says ‘your device has been infected with malware, please remove the malware,’” said Sysmans. Appdome presents a specific eight-digit code to the user that the financial institution’s support team can use to identify the type of malware and how the user can remove it from their device.
Sysmans suggested credit unions and other financial institution consider adding Appdome protection against SharkBot; as well as app overlay attacks such as Strandhogg and Eventbot, which mimic as legitimate Android apps to steal user data; Trojan “families” like TrickBot, which can steal financial details, account credentials, and personally identifiable information (PII); malware droppers like xHelper that deliver malware on mobile devices; and remote access Trojans (RAT) like Pegasus, which has spyware capabilities.