Researchers discovered a new Android banking trojan, dubbed SharkBot , that automates the theft of user banking funds and also targets five cryptocurrency applications. SharkBot malware is able to perform attacks based on the Automatic Transfer System (ATS) system. ATS, an autofill service, is launched to facilitate fraudulent money transfers through legitimate financial service applications, allowing attackers to automatically fill in fields on an infected device with minimal human input. SharkBot is found in applications that have been side-loaded or manually installed by the user, rather than downloaded from Google Play store. Once installed on an Android device, SharkBot will immediately request accessibility permissions, allowing the malware to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA). SharkBot will then perform standard window overlay attacks to steal credentials and credit card information, theft based on ATS, and is also able to log keystrokes and intercept and hide incoming SMS messages.
The NJCCIC suggests users of mobile devices only download applications from official sources, such as Google Play Store and Apple App Store. More information and indicators of compromise can be found in the Cleafy article.