The ever-changing world of mobile app threats never gets boring. Recently Sharkbot, a new Android Trojan targeting mobile banking apps, was identified. The Cleafy Labs Threat Intelligence team, said that “the main goal of Sharkbot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (e.g., SCA). These mechanisms are used to enforce users’ identity verification and authentication, they are usually combined with behavioural detection techniques to identify suspicious money transfers.”
Sharkbot is a Complex Mobile Banking App Trojan
The Cleafy team labels Sharkbot as “a new generation of mobile malware, as it can perform ATS attacks inside the infected device.” ATS (Automatic Transfer System) is an advanced attack technique which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices.
Like all other trojans, Sharkbot masquerades as a seemingly legitimate app, including media players, live TV apps and data recovery apps. Once installed, Sharkbot immediately tries to enable all Accessibility Services and keeps requesting the user with fake pop-ups until they grant the new permissions and … become the next victim.
Sharkbot Uses Multiple Attack Vectors
Unlike other trojans we’ve seen, Sharkbot is especially malicious. It uses multiple attack vectors to defraud mobile banking customers:
- Avoid Google Safety Net detection – Sharkbot uses different stealth techniques to avoid Safety Net detection. A lot of Android developers depend on Google Safety Net to protect their mobile apps. The fact that Sharkbot is specifically built to avoid Safety Net detection, should be a major concern for any banking CISO.
- Intercept MFA/2FA text messages – Most banking app rely heavily on MFA/2FA to authenticate users, validate transactions, and prevent fraud. Sharkbot puts a dagger into the primary anti-fraud defense used by banks.
- Abuse of Accessibility Services – Sharkbot’s abuse of Accessibility Services is especially malicious. Not only does it change the level of permissions, but it is also used to auto-populate fields, hide the malicious app, and prevent the device owner from uninstalling and deleting the malicious app.
- Overlay Attacks – Just like other Trojans, Sharkbot uses the App Overlay attack vector to steal account credentials and credit card data. It then uses the harvested data together with the MFA text message interception to fraudulently login to the banking app and perform the ATS attack.
- Auto-Populate Fields in the App – Probably the nastiest part of Sharkbot is the abuse of Accessibility Services to auto-fill fields in the mobile banking app. This is particularly bad for the following 3 reasons:
- It makes it a lot easier for the malware to propagate
- It makes the overlay attack seem makes it seem more legitimate to mobile banking customers.
- Consumers see auto-populate as a ‘handy feature’. They don’t think twice about just clicking next and by doing so allow Sharkbot to bypass MFA and 2FA in that banking apps.
Evasion Techniques Used by Sharkbot
The Cleafy threat intelligence team found that Sharkbot employs several anti-analysis and detection techniques. Their list is very comprehensive and I’m including it here almost verbatim.
- Strings obfuscation, to slow down the static analysis and “hide” all the commands and important information used by the malware
- Anti-Emulator. When the malicious application is installed on the device, it checks if the device is an emulator or a real phone. This technique is usually used to bypass sandboxes or common emulators used by researchers during the dynamic analysis.
- External ATS module. Once installed, the malware downloads an additional module from the C2 (command and control). The external module is a “.jar” file that contains all the functionality used to perform the ATS attacks.
- Hide the icon app. Once installed, Sharkbot hides the icon of the app from the device screen.
- Anti-delete. Sharkbot uses the Accessibility Services to prevent users from uninstalling/deleting the malware, just like other mobile banking trojans such as the recently discovered Vultur trojan,
- Encrypted communication. All the communication between the malware and C2 are encrypted and encoded with Base64. In addition to this, Sharkbot uses a Domain Generator Algorithm (DGA).
How to Protect Your Mobile Banking App Against Sharkbot Using Appdome
An Appdome-secured app will be protected against all types of mobile banking trojans, and other malicious programs installed on a consumer device via click-bait and social engineering, when the app is protected with the security and fraud prevention features listed below. We’ve discussed in previous blogs how you can protect your apps against App Overlay Attacks such as Strandhogg, Mobile Banking Trojans such as Eventbot, Trojan “Families” like TrickBot, Malware Droppers like xHelper and Remote Access Trojans like Pegasus. Similarly, Appdome will protect your mobile banking apps against Sharkbot.
Recommended Security Model to Protect Mobile Banking Apps Against Sharkbot and Other Mobile Banking Trojans
As most security professionals will say, there is no silver bullet in security. The only good security model is a layered security model. As such, my recommended solution to protect mobile banking apps (and all other mobile apps for that matter) against Sharkbot, Trojans, RATs and all other possible attacks is the following:
- ONEShield – Appdome’s RASP solution that adds anti-debugging, anti-tampering and anti-reversing to the mobile app.
- TOTALCode Obfuscation – fully obfuscates all binary and non-native coding elements in the mobile app.
- TOTALData Encryption – uses AES-256 to dynamically encrypt all the data stored in the application sandbox and throughout the code in preferences, strings, resources, strings.xml values and java class dex files.
- Jailbreak and Root Prevention – prevents an iOS app from running on a jailbroken device and an Android app on a rooted device.
- Secure Communications – prevents the app from connecting to an untrusted server and protects the app against network-based attacks such as Man-in-the-Middle attacks.
- Keylogger Prevention – Auto-detect approved keyboards and stop the use of custom keyboards that may include keylogger software used to exfiltrate keystroke information.
- Detect Accessibility Abuse – Detects any application installed on the device that has too many accessibility services permissions. This privilege escalation is common with all Trojans and RATs.
- Block Android Debug Bridge – Automatically detects Android Debug Bridge (ADB) and prevents the use of ADB for malicious reverse-engineering, debugging, remote shell, etc.
- Block Overlay Attacks – Detect and prevent screen overlays attacks such as Anubis, BankBot, StrandHogg, BlackRock, Cloak&Dagger, Ghimob, Ginp, and MazarBot from displaying a fake screen on top of the app screen.
- Block Magisk Manager – Identifies and blocks the use of Magisk Manager, an advanced root bypass, root hiding app.
- Block Frida Toolkits – Automatically detect and block Frida based toolkits from reverse-engineering and instrumenting a mobile app’s UI and logical flow.
Request a demo of Appdome today learn how to protect your mobile banking apps against Sharkbot and other mobile banking trojans.
