Sophisticated Banking Malware Resurfaces with a new Variant

During a routine threat hunting exercise, Cyble Research Labs came across a post by Cleafy about a new version of the Android malware called SharkBot v1.63. This is the latest variant of the SharkBot Banking Trojan, specifically designed to perform financial fraud and steal sensitive information.

SharkBot was initially discovered in October 2021. The malware is designed to attack banking apps and cryptocurrency exchanges across the United Kingdom, Italy, and the United States. SharkBot uses the Automatic Transfer Systems (ATS) approach to initiate fraudulent money transfers from the infected device and bypass multi-factor authentication.

This malware belongs to a new generation of mobile malware, as it leverages ATS. Attackers can use this sophisticated attack technique to auto-fill forms in legitimate mobile banking apps and make fraudulent transfers from compromised devices.

The Threat Actor(s) (TAs) behind this malware use ATS technology to carry out malicious activities with minimal interaction between the TA’s Command and Control (C&C) server and the infected device. Unlike other banking trojans such as Medusa, TeaBot, and OSCORP, SharkBot has a lower chance of being detected due to its minimal user interaction.

Technical Analysis

We have listed the technical details for one of the samples that we have collected from the latest version of SharkBot.

APK Metadata Information

• App Name:  _Andrоid Аntivirus
• Package Name: com.tadpweougjly.iotbvgxykp
• Main Activity: com.tadpweougjly.iotbvgxykp.MainActivity
• SHA256 Hash: 
  4b7945e3756abb48e2a9b62d8a3a7f633811a1073a20a7d46c121e29b41b6c31

Manifest Information

SharkBot requests 14 different permissions, out of which it abuses 7. The malware requests the user for the following harmful permissions:

Permissions	Description
READ_SMS	Access device messages
RECEIVE_SMS & RECEIVE_MMS	Allows applications to receive SMS and MMS messages
SYSTEM_ALERT_WINDOW	Allows the app to draw on top of other applications
REQUEST_INSTALL_PACKAGES	Allows the app to install new applications
SEND_SMS	Allows the app to send SMSs to a number
WRITE_SMS	Allows the app to write SMS

BIND_ACCESSIBILITY_SERVICES and SYSTEM_ALERT_WINDOW are the two highly risky permissions used by the SharkBot.

• BIND_ACCESSIBILITY_SERVICES: The malware can utilize this permission to access the Android Accessibility Service, a background service that allows it to intercept user actions, insert data into user fields without the user’s knowledge, and track their activity.
• SYSTEM_ALERT_WINDOW: This allows the malware to generate overlay displays that may be used to steal passwords, prevent a user from gaining access to the device, and so on.

Alongside the malicious permissions as indicated in Table 1, the application’s entire set of permissions is represented below.

Malware Behaviour

We observed that the application collects financial and personal information from the victim during our analysis. When the malware is first launched, it asks the user to allow Accessibility permission.

Upon enabling the Accessibility permission, the malware automatically grants all additional permissions by using the Accessibility service to make automated clicks. When these permissions are granted, the malware begins its malicious behavior, such as:

• Intercepting SMSs and stealing transaction-related OTPs.
• While making financial transactions, inject hostile actors’ account details.
• Install/uninstall any software.
• Gather information about the hardware.
• Make a list of all the apps that have been installed on the infected device.

SharkBot uses HTML pages included in the assets folder of the APK, demonstrating users on enabling Accessibility service. Figure 3 depicts the content of the HTML files.

Source Code Review

com.tadpweougjly.iotbvgxykp.MainActivity is the malicious app’s entry point activity, which launhces as the app’s initial screen.

The code that loads the demo screen HTML pages from the assets folder is called under the Main activity, as depicted in Figure 4.

The application also uses the DexClassLoader (DCL) API to load an additional payload from the Command and Control (C2) server. The code to commit financial fraud utilizing ATS technology is contained in the second payload. Figure 5 depicts the code capability of the application to load an additional payload.

SharkBot employs several anti-analysis and detection approaches, including Obfuscation of strings to slow down static analysis and hide all the malware-related commands and vital data, as demonstrated below.

Anti-Emulator: When a malicious app is installed, it determines whether it is an emulator or a genuine device. This approach is typically employed to bypass sandboxes or standard emulators utilized by researchers while performing dynamic analysis. Figure 7 depicts the code for emulator check.

Domain Generation Algorithm (DGA): SharkBot uses DGA to generate a secondary C&C server if the primary C&C URL is detected and is taken down. The code used for DGA is given in Figure 8.

Hides the app Icon: SharkBot hides the app’s icon from the device screen once installed.

Anti-delete: SharkBot uses Accessibility Services to prevent users from uninstalling the app via Settings.

Some common features that SharkBot uses similar to other variants of banking trojans are:

• The capability to read and hide SMSs sent to the infected users: Threat actors typically utilize this function to read the 2FA via text messages sent by the bank as shown below.

• Overlay attack used to acquire usernames, passwords, and credit card numbers: SharkBot uses this functionality to gain the login credentials of the targeted banks/crypto apps, allowing it to proceed with the ATS attacks.

The malicious app uses ATS attacks to allow the TA to auto-fill fields in genuine mobile banking apps and conduct money transfers from the infected devices to a TA or affiliate-controlled money mule network. This allows them to expand their operations with minimal user involvement.

Some of the characteristics of ATS that makes it difficult to identify and handle are:

1. They do not require a “new device enrollment” phase, minimizing their footprint significantly.
2. They can circumvent any 2FA mechanism implemented by financial applications (e.g., SMS-based, push-based, etc.).
3. ATS assaults can beat cognitive detection systems, including behavioral biometrics because the malware makes it seem like the trusted user is conducting all activities.
4. Unauthorized wire transfers are inserted and authorized on the victim’s device, which banks normally regard as “trustworthy.”

SharkBot can intercept and modify all the data on the device screen once a victim has been given accessibility permissions. The Android OS sends Android AccessibilityEvents when something important happens in the user interface. The primary function of an Accessibility event is to notify an AccessibilityService of UI changes.

SharkBot appears to be solely interested in a specific segment of Accessibility events, which include:

SharkBot intercepts the following Accessibility Event types to conduct malicious activities:

TYPE_VIEW_CLICKEDTYPE_VIEW_SELECTEDTYPE_VIEW_TEXT_CHANGETYPE_VIEW_TEXT_SELECTION_CHANGE	When a button is pressed, an object is chosen, or text changes are recognized, this event is triggered.
TYPE_WINDOW_STATE_CHANGEDTYPE_WINDOW_CONTENT_CHANGEDCONTENT_CHANGE_TYPE_TEXT	When a visually unique section of the user interface is discovered, such as when a new Activity is launched, this event is dispatched (e.g., navigating to a different page of the same application or switching applications).
TYPE_NOTIFICATION_STATE_CHANGEDTYPE_ANNOUNCEMENT	When a new notification occurs on the device or an application makes an announcement, this event is initiated.

The TA may also passively log all information exfiltrated from each infected device. This allows them to augment SharkBot with the detailed information required for subsequent ATS attacks such as account balances, activated 2FA/SCA/MFA techniques, cash-out availability, e.g., Single Euro Payments Area (SEPA), Instant payments, etc.

SharkBot will begin communicating with the infected device and auto-fill inputs in mobile banking applications and conduct money transfers once the TA remotely orders the ATS attack.

TA can also interact with the targeted application at this phase, simulating motions and clicks if necessary. Figure 11 depicts the ATS attack performed through various commands remotely.

As observed in the earlier versions of SharkBot, the current variants also receive commands from the TA through the C2 URL hard coded within the app in encrypted texts. Figure 12 depicts the list of commands stored within the app in encrypted text.

The list of commands used in SharkBot is given below:

Command	Description
updateLib	Not implemented
updateSQL	Update configuration data stored on a local database
updateConfig	Update the configuration file containing the C2 URL and the targets
uninstallApp	Delete an app installed on the infected device
changeSmsAdmin	Change the default SMS app manager
sendInject	Receive Overlay attacks payloads from the C2 server
updateTimeKnock	Update timestamp bot
localATS	Enable ATS attacks (new command)
enableKeyLogger	Get keylogging steps during ATS attack
doze	Bypass Android “doze” feature for enabling network communication in the background
stopAll	Reset ATS routine

SharkBot also receives configurations, which contain the TA’s account information, and stores the configuration in a database called database.db.

The malware author maintains the C2 URL and SharkBot version details hardcoded in the code. The hard-coded C2 URL and SharkBot version are shown below.

Conclusion

We’re witnessing a quick progression in the mobile industry, similar to how workstation malware has grown in recent years, toward more complex patterns such as ATS assaults.

Mobile malware is being rapidly developed by TAs with new ways to commit fraud. This helps the malware to circumvent behavioral detection countermeasures used by several banks and financial institutions.

SharkBot malware is one example of a banking malware variant that has developed anti-detection tactics and algorithms in its latest version. It makes use of the SYSTEM ALERT WINDOW permission, which is seen as a potentially harmful one in the Android ecosystem since it is only supposed to be used by trustworthy applications such as Google apps and its partners.

The malware was also not identified in the Google Play Store, implying that it is propagated via other vectors such as Smishing, Email Phishing, or other Social Engineering activities. Presumably, the malware can only be installed using Android’s side loading function.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How To Prevent Malware Infection?

• Download and install software only from official app stores like Google Play Store or the iOS App Store.
• Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
• Use strong passwords and enforce multi-factor authentication wherever possible.
• Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
• Be wary of opening any links received via SMS or emails delivered to your phone.
• Ensure that Google Play Protect is enabled on Android devices.
• Be careful while enabling any permissions.
• Keep your devices, operating systems, and applications updated.

How To Identify Whether You Are Infected?

• Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
• Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What To Do When You Are Infected?

• Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
• Perform a factory reset of the device.
• Remove the application in case a factory reset is not possible.
• Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What To Do In Case Of Any Fraudulent Transaction?

• In case of a fraudulent transaction, immediately report it to the concerned bank

What Should Banks Do To Protect Their Customers?

• Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Defense Evasion	T1406 T1444	Obfuscated Files or Information Masquerade as Legitimate Application
Credential Access	T1412 T1409	Capture SMS Messages Access Stored Application Data
Discovery	T1421 T1424 T1418	System Network Connections Discovery Process Discovery Application Discovery
Collection	T1507 T1412 T1432 T1429	Network Information Discovery Capture SMS Messages Access Contact List Capture Audio
Command and Control	T1571 T1573	Non-Standard Port Encrypted Channel
Impact	T1447	Delete Device Data

Indicators Of Compromise (IOCs)

Indicators	Indicator type	Description
4b7945e3756abb48e2a9b62d8a3a7f633811a1073a20a7d46c121e29b41b6c31	SHA256	Hash Value of Main APK File
9dc56ee0f128ba3c198777693fa9a6028fa8f54e294d7be2e06ed4bbd8a2e3f7	SHA256	Hash Value of Dex file
hxxp://mnbvakjjouxir0zkzmd[.]xyz/	URL	C&C URL

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.