At the end of October, security researchers at Cleafy found new malware that did not appear to belong to any known family. Dubbed SharkBot, the malware has been traced to attacks that are focused on stealing funds from vulnerable handsets running the Android operating system. Based on research, it appears that the botnet is private and is still in the development stage. SharkBot is modular malware that researchers say belongs to the next generation of mobile malware able to perform attacks based on the Automatic Transfer System (ATS), which allows attackers to automatically fill in fields on an infected device. Cleafy suggests that SharkBot utilizes this technique in an attempt to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA). Once executed, the malware will immediately request accessibility permissions and will bombard the victim with pop-ups until it obtains access. SharkBot will then quietly perform standard window overlay attacks to steal credentials and credit card information, theft based on ATS, and is also able to key log and both intercept or hide incoming SMS messages.
As with any mobile device, applications should only be downloaded from trusted stores and developers. In this case, no samples of SharkBot have been identified on the Google Play Store. Multi-factor authentication (MFA) is a great tool to help prevent attackers from using stolen credentials to log into accounts. MFA should be used across all accounts and devices and be required each time a login is conducted. MFA should also be set up through trusted third-party applications and not through SMS messages as threat actors can intercept those messages on a compromised device.