Cybersecurity researchers have uncovered a new Android trojan that can circumvent multi-factor authentication on banking apps, putting users' financial data and money at risk.
Dubbed "SharkBot" by Cleafy researchers, the Android malware has been spotted in assaults across Europe and the United States to siphon credentials from smartphones using the Google Android operating system.
"The main goal of SharkBot is to initiate money transfers from the compromised devices via Automatic Transfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (e.g., SCA)," the researchers from cyber security firm Cleafy said in a report.
"Once SharkBot is successfully installed in the victim's device, attackers can obtain sensitive banking information through the abuse of Accessibility Services, such as credentials, personal information, current balance, etc., but also to perform gestures on the infected device."
According to researchers, SharkBot is modular malware that belongs to the next generation of mobile malware able to perform attacks based on the Automatic Transfer System (ATS) system. The android trojan is equipped with several features, such as the ability to block legitimate banking communications sent via SMS, enable keylogging, and secure full remote control of the exploited devices.
Additionally, the malware poses as a media player, live TV, or data recovery apps and prompts users with rogue pop-ups to grant it wide permissions only to steal private details. Where it stands apart is the exploitation of accessibility settings to carry out ATS attacks, which allow the operators to "auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices to a money mule network controlled by the cybercriminals."
The Android trojan employs different anti-analysis and detection techniques to bypass multi-factor authentication on banking apps, including running emulator checks, encrypting command-and-control communications with a remote server, and concealing the app's icon from the home screen post-installation. Till now, no samples of the malware have been spotted on the Google Play Store, depicting that the malicious apps are installed on the users' devices either via sideloading or social engineering techniques.
"The discovery of SharkBot in the wild show mobile malware are quickly finding new ways to perform fraud, trying to bypass behavioral detection countermeasures put in place by multiple banks and financial services during the last years," the researchers stated.
