Bank account, you risk losing all your money: beware of this virus

First discovered in October 2021, SharkBot is a banking trojan capable of bypassing multi-factor authentication mechanisms to steal account credentials from Android mobile devices. It then steals funds from user’s online banking and cryptocurrency accounts.

SharkBot works by executing unauthorized transactions through Automatic Transfer Systems (ATS). It creates realistic copies of bank input forms and then, after the unsuspecting user enters the necessary data, sends the compromised data to a malicious server.

More recently, SharkBot has been deleted from Google Play, when he removed six different antivirus apps downloading and installing malware on the phones of unsuspecting users who, ironically, were just trying to protect themselves from viruses and theft. The six apps have been downloaded at least 15,000 times by users in Italy and in the UK before their removal.

While Android-specific malware isn’t new, there are a few unique features of Sharkbot which distinguish it from other trojans, remembering that malware today also hides in applications such as whatsapp.

First, it has a geofencing function which allows it to target users based on their geographic area. More recently, they have been Frreturns targeting UK and Italian users, but users from China, Russia, Ukraine, India, Romania and Belarus were ignored.

SharkBot also uses a Domain Generated Algorithm (DGA), which is unusual in malware focused on android. Using DGA, SharkBot generates seven domains for each hardcoded seed.

Sharkbot, so it empties your bank account

The researchers found eight different seed/algorithm combinations, providing 56 domains per week.

SharkBot also uses over 22 commands on infected androids. It also includes requesting permission to send SMS messages, uninstalling other applications.

Only time will tell which are the effective long-term damage of this malware. While Google has made significant progress in malware reduction and other malicious apps on Google Play, this latest case with SharkBot shows that the hackers are just getting better at information fishing.

SharkBot is a great reminder that in the end we are all responsible for our cyber security and that it is up to users to research apps (even from reputable brands) before downloading them. Practicing safe cyber hygiene so that you are not vulnerable in shark infested waters is crucial!

The banking trojan of remote access SharkBot it was first spotted in October 2021. Security researchers discovered it and concluded that it was one of a kind. It does not possess any connection to malware like TeaBot or Xenomorph and had some particularly sophisticated and insidious functions.

One Updated SharkBot so he can hide today again, inside an innocent looking antivirus app which is still available on the Google Play Store.