SharkBot’s main purpose is to use the Automatic Transfer Systems (ATS) technology to conduct cash transactions from infected devices, bypassing multi-factor authentication measures. Once it is successfully installed on the victim’s smartphone, attackers can exploit Accessibility Services to collect sensitive financial information such as passwords, private details, current balance, and so on, as well as to conduct actions on the infected device.
SharkBot, posing as a media player, live TV, or data recovery app, continually urges users to grant it broad access in order to steal important information. The use of accessibility settings to conduct out ATS assaults sets it distinct, as it allows the operators to auto-fill fields in genuine mobile banking apps and starts financial transactions from infected devices to a money laundering network controlled by the threat actor.
This malware is also known for the measures it takes to avoid discovery, including running emulator tests, securing command-and-control interactions with a remote server, and removing the app’s icon from the home screen after installation. There are no examples of spyware on the official Google Play Store, meaning that dangerous apps are put on customers’ smartphones via sideloading or social engineering tactics.
SharkBot’s emergence in the wild demonstrates how mobile malware is rapidly developing new ways to commit fraud, attempting to circumvent behavioral detection techniques implemented by a number of banks and financial services in recent years.