Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SharkBot. Show all posts

Mobile Banking Trojan Volume Doubles

 


There were nearly 200,000 new telecommunications and banking Trojans developed in 2022, an increase of 100% over the previous year and the biggest spike in mobile malware development seen in the previous six years, confirming the trend of mobile malware development being propelled forward in recent years. 

The information was provided by Kaspersky Lab's report entitled "Mobile Threats in 2022" which can be found here. During the year, the firm also reported that 1.6 million malware installers were detected as part of its telemetry as provided by telemetry. While malware creation surged ahead in 2020, there was a decline in threat activity (down from 3.5 million in 2021 and 5.7 million in 2020), despite the surge in attacks in 2021. 

Based on the report released today, cybercriminals are increasingly targeting mobile users. They are also investing a lot of time in creating updated malware to steal financial information, making these increased activities more likely. Similarly, it stated, over the last few years, cybercriminal activity has leveled off, with attack numbers staying steady after slackening in 2021. 

The truth is that cybercriminals continue to improve the functionality of malware as well as how it spreads. 

The banking Trojan is designed to steal mobile banking credentials and e-payment information, but it can quickly be repurposed to steal other kinds of information, including those related to identity theft and the spread of other malware. In the past few years, many malware strains have emerged that have become synonymous with the term "all-purpose malware strains", including popular strains like Emotet and TrickBot, for instance. 

There is a great risk that you might encounter a banking Trojan if you use a non-official app store, but Google Play has been repeatedly flooded with "downloaders of trojans such as Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph disguised as utilities." 

According to Kaspersky's report, unofficial apps pose the greatest risk. Sharkbot is an example of malware masquerading as a legitimate file manager that is malicious (and can evade Google's vetting process) until it has been installed. 

After that, it will begin to request permission to install other packages which will together perform malicious banking Trojan activities that can be considered malicious. In recent years, mobile banking Trojans have been one of the most prevalent and concerning mobile malware threats, used to implement attacks to steal data related to online banking and e-payment systems as well as bank credentials. This is the highest number of mobile banking Trojan installers detected by Kaspersky in the past six years. The number was double what Kaspersky detected in 2021 and represents a fifty percent increase from that year's figure. 

In light of this, cybercriminals are increasingly interested in stealing financial data from smartphone users, and this information is a target of their attacks. It is also clear that they seem to be investing heavily in updating their malware, which may result in severe losses for their targets in the long run. 

The Trojan banker malware is spread by cyber criminals through both official and unofficial app stores, through which they distribute their malware. Several banking Trojan families are still available on Google Play, including Sharkbot, Anatsa/Teaban, Octo/Copper, and Xenomorph, which are disguised as utilities but are downloaders for banking Trojans.  

In Sharkbot's case, they created a fake file manager in which they would distribute downloaders. A Trojan can request permission to be installed on the device of a user, thus putting the user's security at risk. Furthermore, these downloaders can request permission to be installed on the device so that it can operate on the user's device.

SharkBot Malware Returns to Google Play, to Steal Login Credentials

 

A new and updated version of the SharkBot malware has returned to Google's Play Store, targeting Android users' banking logins via apps with tens of thousands of installations. When submitted to Google's automatic review, the malware was found in two Android apps that did not contain any malicious code. SharkBot, on the other hand, is added in an update that takes place after the user installs and launches the dropper apps.

According to a blog post by Fox IT, a division of the NCC Group, the two malicious apps are "Mister Phone Cleaner" and "Kylhavy Mobile Security," which have 60,000 installations combined. Although the two apps have been removed from Google Play, users who have installed them are still at risk and will require to uninstall them manually.

SharkBot has advanced now

SharkBot was discovered in October 2021 by malware analysts at Cleafy, an Italian online fraud management and prevention company. NCC Group discovered the first apps carrying it on Google Play in March 2022.

At the time, the malware was capable of performing overlay attacks, stealing data through keylogging, intercepting SMS messages, and granting threat actors complete remote control of the host device by abusing the Accessibility Services. 

ThreatFabric researchers discovered SharkBot 2 in May 2022, which included a domain generation algorithm (DGA), an updated communication protocol, and completely refactored code. On August 22, Fox-IT researchers discovered a new version of the malware (2.25) that adds the ability to steal cookies from bank account logins.

“Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this is not the case in this new version of the dropper for Sharkbot. The dropper instead will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did,” Fox IT says.

When the dropper app is installed, it contacts the command and control (C2) server and requests the malicious SharkBot APK file. The dropper then notifies the user that an update is available and instructs them to install the APK and grant all necessary permissions. SharkBot stores its hard-coded configuration in encrypted form using the RC4 algorithm to make automated detection more complicated. 

About cookie-loving Sharkbot

SharkBot 2.25 retains the overlay, SMS intercept, remote control, and keylogging systems, but a cookie logger has been added on top of them. When the victim logs into their bank account, SharkBot uses a new command ("logsCookie") to steal their valid session cookie and send it to the C2.

Cookies are useful for account takeovers because they contain software and location information that help bypass fingerprinting checks or, in some cases, the user authentication token itself. Throughout the investigation, Fox IT personnel discovered new SharkBot campaigns in Europe (Spain, Austria, Germany, Poland, and Austria) and the United States. 

The researchers discovered that the malware uses the keylogging feature in these attacks to steal sensitive information directly from the official app it targets. Fox IT expects SharkBot campaigns to continue and the malware to evolve now that an improved version of the malware is available.