SharkBot, once successfully installed in the victim's device, can obtain sensitive banking data through the abuse of Android Accessibility Services, with such information as credentials, login details, current balance, and also able to perform gestures on the infected device.
The botnet is currently targeting victims in the UK, Italy, and the US, mainly banking applications and cryptocurrency exchanges.
How SharkBot Trojan Steals Personal Banking Information?
SharkBot can implement overlay attacks to steal personal banking login credentials and credit card information and also with capabilities to intercept legitimate banking communications sent via SMS.
It is also capable of performing Automatic Transfer System (ATS) attacks within the infected device, which is an advanced attack technique that enables attackers to auto-fill form fields in legitimate banking apps and initiate transfers from the compromised devices.
The Trojan has a very low detection rate by anti-virus solutions, even with multiple anti-analysis techniques implemented, including obfuscation routine, and a domain generation algorithm (DGA) for its network communication.
SharkBot also attempts to bypass behavioral detection countermeasures such as biometrics put in place by multiple financial services with the abuse of Android Accessibility Services.
How to Mitigate against SharkBot Banking Trojan?
SharkBot is installed on the users' devices using either the side-loading technique or social engineering schemes.
Therefore, it is advised that organizations should be vigilant of these sort of attacks, and also make sure that file permissions aren't set to the "Everyone" group to limit the exposure to further attacks. And always ensure to check the permissions on running database and confirm the permissions are locked down.
No comments