Cyble-Analysis-Sharkbot-Banking-Trojan

Analysis – SharkBot Malware v1.63

Sophisticated Banking Malware Resurfaces with a new Variant

During a routine threat hunting exercise, Cyble Research Labs came across a post by Cleafy about a new version of the Android malware called SharkBot v1.63. This is the latest variant of the SharkBot Banking Trojan, specifically designed to perform financial fraud and steal sensitive information.

SharkBot was initially discovered in October 2021. The malware is designed to attack banking apps and cryptocurrency exchanges across the United Kingdom, Italy, and the United States. SharkBot uses the Automatic Transfer Systems (ATS) approach to initiate fraudulent money transfers from the infected device and bypass multi-factor authentication.

This malware belongs to a new generation of mobile malware, as it leverages ATS. Attackers can use this sophisticated attack technique to auto-fill forms in legitimate mobile banking apps and make fraudulent transfers from compromised devices.

The Threat Actor(s) (TAs) behind this malware use ATS technology to carry out malicious activities with minimal interaction between the TA’s Command and Control (C&C) server and the infected device. Unlike other banking trojans such as Medusa, TeaBot, and OSCORP, SharkBot has a lower chance of being detected due to its minimal user interaction.

Technical Analysis

We have listed the technical details for one of the samples that we have collected from the latest version of SharkBot.

APK Metadata Information

  • App Name:  _Andrоid Аntivirus
  • Package Name: com.tadpweougjly.iotbvgxykp
  • Main Activity: com.tadpweougjly.iotbvgxykp.MainActivity
  • SHA256 Hash: 
    4b7945e3756abb48e2a9b62d8a3a7f633811a1073a20a7d46c121e29b41b6c31
Figure 1 – Application Metadata information

Manifest Information

SharkBot requests 14 different permissions, out of which it abuses 7. The malware requests the user for the following harmful permissions:

PermissionsDescription
READ_SMSAccess device messages
RECEIVE_SMS & RECEIVE_MMSAllows applications to receive SMS and MMS messages
SYSTEM_ALERT_WINDOWAllows the app to draw on top of other applications
REQUEST_INSTALL_PACKAGESAllows the app to install new applications
SEND_SMSAllows the app to send SMSs to a number
WRITE_SMSAllows the app to write SMS
Table 1 – permissions used by the malware app

BIND_ACCESSIBILITY_SERVICES and SYSTEM_ALERT_WINDOW are the two highly risky permissions used by the SharkBot.

  • BIND_ACCESSIBILITY_SERVICES: The malware can utilize this permission to access the Android Accessibility Service, a background service that allows it to intercept user actions, insert data into user fields without the user’s knowledge, and track their activity.
  • SYSTEM_ALERT_WINDOW: This allows the malware to generate overlay displays that may be used to steal passwords, prevent a user from gaining access to the device, and so on.

Alongside the malicious permissions as indicated in Table 1, the application’s entire set of permissions is represented below.

Figure 2 – Permissions used by the malware app

Malware Behaviour

We observed that the application collects financial and personal information from the victim during our analysis. When the malware is first launched, it asks the user to allow Accessibility permission.

Upon enabling the Accessibility permission, the malware automatically grants all additional permissions by using the Accessibility service to make automated clicks. When these permissions are granted, the malware begins its malicious behavior, such as:

  • Intercepting SMSs and stealing transaction-related OTPs.
  • While making financial transactions, inject hostile actors’ account details.
  • Install/uninstall any software.
  • Gather information about the hardware.
  • Make a list of all the apps that have been installed on the infected device.

SharkBot uses HTML pages included in the assets folder of the APK, demonstrating users on enabling Accessibility service. Figure 3 depicts the content of the HTML files.

Figure 3 – Demonstrating HTML pages to enable Accessibility Service loaded from Assets Folder

Source Code Review

com.tadpweougjly.iotbvgxykp.MainActivity is the malicious app’s entry point activity, which launhces as the app’s initial screen.

The code that loads the demo screen HTML pages from the assets folder is called under the Main activity, as depicted in Figure 4.

Figure 4 – Code that loads HTML pages from asset folder

The application also uses the DexClassLoader (DCL) API to load an additional payload from the Command and Control (C2) server. The code to commit financial fraud utilizing ATS technology is contained in the second payload. Figure 5 depicts the code capability of the application to load an additional payload.

Figure 5 – Using DCL APIs to load payloads

SharkBot employs several anti-analysis and detection approaches, including Obfuscation of strings to slow down static analysis and hide all the malware-related commands and vital data, as demonstrated below.

Figure 6 – Obfuscation of strings to avoid analysis

Anti-Emulator: When a malicious app is installed, it determines whether it is an emulator or a genuine device. This approach is typically employed to bypass sandboxes or standard emulators utilized by researchers while performing dynamic analysis. Figure 7 depicts the code for emulator check.

Figure 7 – Emulator Check code found from Malicious App

Domain Generation Algorithm (DGA): SharkBot uses DGA to generate a secondary C&C server if the primary C&C URL is detected and is taken down. The code used for DGA is given in Figure 8.

Figure 8 – DGA Generation for Secondary C2 Server

Hides the app Icon: SharkBot hides the app’s icon from the device screen once installed.

Anti-delete: SharkBot uses Accessibility Services to prevent users from uninstalling the app via Settings.

Some common features that SharkBot uses similar to other variants of banking trojans are:

  • The capability to read and hide SMSs sent to the infected users: Threat actors typically utilize this function to read the 2FA via text messages sent by the bank as shown below.
Figure 9 – Reading incoming text messages

  • Overlay attack used to acquire usernames, passwords, and credit card numbers: SharkBot uses this functionality to gain the login credentials of the targeted banks/crypto apps, allowing it to proceed with the ATS attacks.

The malicious app uses ATS attacks to allow the TA to auto-fill fields in genuine mobile banking apps and conduct money transfers from the infected devices to a TA or affiliate-controlled money mule network. This allows them to expand their operations with minimal user involvement.

Some of the characteristics of ATS that makes it difficult to identify and handle are:

  1. They do not require a “new device enrollment” phase, minimizing their footprint significantly.
  2. They can circumvent any 2FA mechanism implemented by financial applications (e.g., SMS-based, push-based, etc.).
  3. ATS assaults can beat cognitive detection systems, including behavioral biometrics because the malware makes it seem like the trusted user is conducting all activities.
  4. Unauthorized wire transfers are inserted and authorized on the victim’s device, which banks normally regard as “trustworthy.”

SharkBot can intercept and modify all the data on the device screen once a victim has been given accessibility permissions. The Android OS sends Android AccessibilityEvents when something important happens in the user interface. The primary function of an Accessibility event is to notify an AccessibilityService of UI changes.

SharkBot appears to be solely interested in a specific segment of Accessibility events, which include:

Figure 10 – Intercepts by SharkBot on AccessibilityEvents types

SharkBot intercepts the following Accessibility Event types to conduct malicious activities:

TYPE_VIEW_CLICKEDTYPE_VIEW_SELECTEDTYPE_VIEW_TEXT_CHANGETYPE_VIEW_TEXT_SELECTION_CHANGEWhen a button is pressed, an object is chosen, or text changes are recognized, this event is triggered.
TYPE_WINDOW_STATE_CHANGEDTYPE_WINDOW_CONTENT_CHANGEDCONTENT_CHANGE_TYPE_TEXTWhen a visually unique section of the user interface is discovered, such as when a new Activity is launched, this event is dispatched (e.g., navigating to a different page of the same application or switching applications).
TYPE_NOTIFICATION_STATE_CHANGEDTYPE_ANNOUNCEMENTWhen a new notification occurs on the device or an application makes an announcement, this event is initiated.
Table 2 – Accessibility Event Types

The TA may also passively log all information exfiltrated from each infected device. This allows them to augment SharkBot with the detailed information required for subsequent ATS attacks such as account balances, activated 2FA/SCA/MFA techniques, cash-out availability, e.g., Single Euro Payments Area (SEPA), Instant payments, etc.

SharkBot will begin communicating with the infected device and auto-fill inputs in mobile banking applications and conduct money transfers once the TA remotely orders the ATS attack.

TA can also interact with the targeted application at this phase, simulating motions and clicks if necessary. Figure 11 depicts the ATS attack performed through various commands remotely.

Figure 11 – ATS Attack performed through Various commands in Mobile banking apps

As observed in the earlier versions of SharkBot, the current variants also receive commands from the TA through the C2 URL hard coded within the app in encrypted texts. Figure 12 depicts the list of commands stored within the app in encrypted text.

Figure 12 – Encrypted Commands hard coded within the app

The list of commands used in SharkBot is given below:

CommandDescription
updateLibNot implemented
updateSQLUpdate configuration data stored on a local database
updateConfigUpdate the configuration file containing the C2 URL and the targets
uninstallAppDelete an app installed on the infected device
changeSmsAdminChange the default SMS app manager
sendInjectReceive Overlay attacks payloads from the C2 server
updateTimeKnockUpdate timestamp bot
localATSEnable ATS attacks (new command)
enableKeyLoggerGet keylogging steps during ATS attack
dozeBypass Android “doze” feature for enabling network communication in the background
stopAllReset ATS routine
Table 3 – List of Commands

SharkBot also receives configurations, which contain the TA’s account information, and stores the configuration in a database called database.db.

Figure 13 – Database used by TA for storing data and configuration

The malware author maintains the C2 URL and SharkBot version details hardcoded in the code. The hard-coded C2 URL and SharkBot version are shown below.

Figure 14 – Hardcoded C2 URL along with SharkBot Version

Conclusion

We’re witnessing a quick progression in the mobile industry, similar to how workstation malware has grown in recent years, toward more complex patterns such as ATS assaults.

Mobile malware is being rapidly developed by TAs with new ways to commit fraud. This helps the malware to circumvent behavioral detection countermeasures used by several banks and financial institutions.

SharkBot malware is one example of a banking malware variant that has developed anti-detection tactics and algorithms in its latest version. It makes use of the SYSTEM ALERT WINDOW permission, which is seen as a potentially harmful one in the Android ecosystem since it is only supposed to be used by trustworthy applications such as Google apps and its partners.

The malware was also not identified in the Google Play Store, implying that it is propagated via other vectors such as Smishing, Email Phishing, or other Social Engineering activities. Presumably, the malware can only be installed using Android’s side loading function.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How To Prevent Malware Infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How To Identify Whether You Are Infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What To Do When You Are Infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset of the device.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What To Do In Case Of Any Fraudulent Transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank

What Should Banks Do To Protect Their Customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Defense EvasionT1406
T1444
Obfuscated Files or Information
Masquerade as Legitimate Application
Credential AccessT1412
T1409
Capture SMS Messages
Access Stored Application Data
 DiscoveryT1421
T1424
T1418
System Network Connections Discovery
Process Discovery
Application Discovery
 CollectionT1507
T1412
T1432
T1429
Network Information Discovery
Capture SMS Messages
Access Contact List
Capture Audio
Command and ControlT1571
T1573
Non-Standard Port
Encrypted Channel
ImpactT1447Delete Device Data

Indicators Of Compromise (IOCs)

IndicatorsIndicator typeDescription
4b7945e3756abb48e2a9b62d8a3a7f633811a1073a20a7d46c121e29b41b6c31SHA256Hash Value of Main APK File
9dc56ee0f128ba3c198777693fa9a6028fa8f54e294d7be2e06ed4bbd8a2e3f7SHA256Hash Value of Dex file
hxxp://mnbvakjjouxir0zkzmd[.]xyz/URLC&C URL

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com

Recent Blogs

CybleBlogs-SCADA-ICS-Thermal Imaging-Military

Cyble Research & Intelligence Labs analyzes Industrial Control Systems & Thermal Imaging cameras’ cyber risk over Military Instalments.

Read More »
Titan Stealer

CRIL analyzes Titan Stealer, a Golang based information stealer working as MaaS as well as it’s C&C panel.

Read More »
Scroll to Top