New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets

A new Android banking trojan has been found, targeting international banks from the United Kingdom and Italy (including in the U.S.). and five different cryptocurrency services. Twenty-two instances have been discovered, but more are expected.

The malware, first detected at the end of October 2021, appears to be new and still being developed. It was discovered by Cleafy, a Milan, Italy-based online fraud detection and prevention firm. Cleafy calls it ‘SharkBot’, named after the frequency of the word ‘sharked’ in its binaries.

SharkBot is not found in Google’s official marketplace. This means it must be sideloaded by delivering the APK to the device and ensuring it is manually loaded. In a technical analysis of the malware, Cleafy notes that it poses as a legitimate application using common names and icons.

If the deception succeeds and the malware is installed, it immediately attempts to enable Android’s Accessibility Services by delivering fake pop-ups to the victim – such as ‘Allow Media Player to have full control of your device’. If this is successful, SharkBot has all the permissions it needs. 

Once accepted the malware can enable keylogging (to steal typed credentials), intercept SMS messages (to circumvent MFA), deliver overlay attacks (to steal login credentials and credit card information) and remotely control the device because permissions were granted via the fake pop-up. “Basically,” comments Corey Nachreiner, CSO at WatchGuard Technologies, “the malicious Accessibility Services can read anything a user can read and can recreate any action a user can on the device.”

Notably, SharkBot also attempts a relatively novel technique known as an Automatic Transfer Systems (ATS) attack. “This technique has been seen recently from other banking trojans, such as Gustuff,” explains Cleafy. “ATS is an advanced attack technique (fairly new on Android) which enables attackers to auto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices.” 

The ATS functionality is contained in a module downloaded separately from the C2. “Given its modular architecture,” comments Cleafy, “we don’t exclude the existence of botnets with other configurations and targets.”

[ READ: Android Trojan Targets Banks, Crypto-Currencies, e-Commerce

The assumption is that ATS is used by SharkBot to bypass the behavioral detection measures used by many financial institutions. If ATS is used on what is a trusted device, a ‘new device enrollment’ phase is not necessary, SMS-based MFA can be bypassed,  and behavioral biometrics are not effective.

Although relatively few instances of SharkBot have been discovered in the wild, Cleafy suspects that the threat will grow. This is partly because it is new, and apparently still being developed.  

“The implications of becoming infected with SharkBot could be severe, so it’s important,” says Nachreiner, “to avoid being infected altogether.” This is not yet easy. The malware is new and not well detected by existing detection means. Apart from the DGA for its C2s, it also uses anti-analysis techniques including obfuscated strings and emulator detection.

The best solution is to avoid side-loading religiously. Without 100% certainty in the authenticity of the application and the validity of its source, simply do not install it. 

Related: Android Banking Trojan ‘Vultur’ Abusing Accessibility Services

Related: Android Trojan Targets Banks, Crypto-Currencies, e-Commerce

Related: Automatic Transfer System Evades Security Measures, Automates Bank Fraud

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:


Canadian Teen Arrested Over Theft of $36 Million in Cryptocurrency

A Canadian teen has been arrested for their alleged role in the theft of roughly $36.5 million (CAD$46 million) worth of cryptocurrency from a single victim in the United States, according to the Hamilton Police in Ontario, Canada.

The arrest was made following an investigation that started in March 2020 and in which the FBI and the United States Secret Service Electronic Crimes Task Force participated as well.

SIM swapping was used to perform the cryptocurrency theft, authorities revealed. The technique involves manipulating employees at a wireless network services provider into transferring the victim’s phone number to a SIM card in the attacker’s possession.

This allows the cybercriminals to intercept phone calls and SMS messages the victim might receive, including those that contain two-factor authorization codes.

During the investigation, authorities discovered that some of the stolen funds were used to purchase an online username considered rare in the gaming community. Thus, they were able to uncover the account holder.

Hamilton Police said the unnamed teen was arrested on charges related to the theft of more than $5,000 and for “possession of property or proceeds of property obtained by crime.”

Authorities also said more than $5.5 million (more than CAD$7 million) in cryptocurrency was seized.

Related: FBI: Scams Involving Cryptocurrency ATMs and QR Codes on the Rise

Related: Twitter Hacker Charged Over Theft of $784,000 in Cryptocurrency

Related: Hackers Stole Cryptocurrency From Thousands of Coinbase Accounts

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


U.S Banks Required to Report Cyberattacks to Regulators Within 36 Hours

In less than half a year, banks in the United States will be required to notify federal regulators of serious cybersecurity incidents within 36 hours.

The final version of this cybersecurity incident notification rule was announced on Thursday by the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve, and the Office of the Comptroller of the Currency (OCC).

The rule applies to banking organizations and their service providers, and it will take effect on April 1, 2022, with full compliance extended to May 1, 2022.

“FDIC-supervised banking organizations will be required to notify the FDIC as soon as possible and no later than 36 hours after the banking organization determines that a computer-security incident that rises to the level of a notification incident has occurred,” the agencies said. “The banking organization must provide this notification to the appropriate FDIC supervisory office, or an FDIC-designated point of contact, through email, telephone, or other similar methods that the FDIC may prescribe.”

“Security incidents” are incidents that result in actual harm to the confidentiality, integrity or availability of information systems. “Notification incidents” are incidents that cause serious disruption to operations, ones that prevent the bank from delivering its products and services, or ones that pose a risk to the stability of the financial sector. Examples provided by the agencies include computer failures, DDoS attacks or ransomware attacks.

Bank service providers will be required to report incidents to client banks in case banking services are — or are likely to be — disrupted for more than four hours.

The agencies noted that they want to avoid putting a burden on banks — organizations are only required to inform regulators about an incident, without also needing to provide a full assessment or analysis within the 36 hours.

“This new regulation is a reflection of the growing breadth of impact cyber attacks have on financial services,” commented James Hadley, founder and CEO of Immersive Labs. “Technology is no longer just a part of the industry, but the operating system on which the entire sector runs. Attacks now mean more than short term reputational and financial loss for a single institution, having the potential to spread through interconnected infrastructure with significant impact on people and business.”

“Such regulation will encourage the sharing of critical knowledge at a pace that will allow senior stakeholders inside interlinked organizations to respond more effectively. This kind of swift and collaborative response, coupled with regular exercising, will improve decision making and improve resilience across the board,” Hadley added.

Related: US Poised to Go After Contractors Who Don’t Report Breaches

Related: US Gov Executive Order to Mandate Data Breach Disclosure

Related: Deep Analysis of More than 60,000 Breach Reports Over Three Years

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:


California Pizza Kitchen Says Employee Data Stolen in Breach

American pizza chain California Pizza Kitchen (CPK) is notifying employees of a data breach that might have resulted in some of their personal information being accessed by hackers.

The incident was identified on September 15, but the company says it needed several weeks to conclude its investigation. The company began sending out notification letters to affected individuals only on November 15.

Just over 103,000 people — current and former CPK employees — appear to have been affected by the data breach, the pizza chain told the Maine Attorney General.

“We immediately secured our environment and, with the assistance of leading third-party computer forensic specialists, launched an investigation to determine the nature and scope of the incident. On October 4, 2021, the investigation confirmed that certain files on our systems had been subject to unauthorized access,” the company told the affected employees.

Some of the compromised files, CPK explains, contained personal information related to its employees, including names and Social Security Numbers.

The company claims it has no evidence that the compromised information might have been misused, and says it decided to inform all of the potentially affected individuals “out of an abundance of caution.”

Furthermore, CPK says that it took steps to improve the security of its systems, including reviewing existing policies and implementing additional measures, to ensure that it can prevent similar incidents from happening.

“We also reported the incident to law enforcement and will cooperate with any investigation. We are notifying potentially impacted individuals, including you, so that you may take steps to protect your information,” the company notes.

Related: HPE Says Customer Data Compromised in Aruba Data Breach

Related: Missouri Budget Officials Outline $50M Cost of Data Breach

Related: Telecoms Giant Syniverse Discloses Years-Long Data Breach

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SnapAttack Spins Out of Booz Allen Hamilton With $8 Million in Funding

Threat hunting and detection company SnapAttack this week announced closing an $8 million funding round, just as it spun out of Booz Allen Hamilton.

The funding round was led by Volition Capital. Booz Allen Hamilton and Strategic Cyber Ventures (SCV) also invested in the new independent company.

SnapAttack promises an extensive library of labeled attacks, to help security teams deploy validated analytics based on hacker tradecraft. New content is continuously added to the platform to be immediately disseminated and shared.

The platform combines red teaming (offensive) and blue teaming (defensive) tradecraft to find security defects and refine behavioral detections. A vendor-agnostic platform, it can be integrated with SIEM, EDR/XDR, and cloud solutions.

SnapAttack’s platform — which focuses on attack emulation, detection, and behavioral analytics — can help deploy proactive security measures, to help prevent attacks before they happen.

The funding will allow the company to accelerate development of its platform, as well as to add more threat intelligence and analytic content types. Furthermore, the company aims to expand its engineering, product, and sales teams, to drive product adoption.

“SnapAttack is poised to empower a new level of collaboration among the next generation of ethical hackers, threat hunters and security researchers providing advanced insights to stop attackers in their tracks,” said Fred Frey, CTO and founding member of the SnapAttack team.

Related: Cloud Data Protection Startup Laminar Closes $32M Funding Round

Related: Open XDR Company Stellar Cyber Raises $38 Million

Related: Network Security Company Netography Raises $45 Million

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


GBG to Acquire Acuant in $736 Million Deal

UK-based identity verification and fraud prevention solutions provider GBG on Thursday announced that it has agreed to acquire Acuant in a $736 million deal.

Acuant is based in California and it specializes in identity verification and Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. The acquisition, which is expected to close by the end of the month, will help GBG further expand into the United States.

GBG says Acuant’s product suite complements the services provided by its US-based subsidiary IDology.

The combined company has a revenue of roughly £265 million ($355 million), and more than 25,000 enterprise customers around the world.

When announcing the deal, the companies pointed out that the global identity verification market is projected to reach $15.8 billion and the identity fraud market is projected to be worth $9.6 billion by 2025.

Acuant has developed a trusted identity platform that provides a wide range of capabilities, including data capture, identity document authentication, facial recognition matching, anti-money laundering, know your customer, know your business, sanctions screening, transaction monitoring, and dark web checks.

“The US is the largest and most strategic market for location, identity and fraud services,” said Chris Clark, CEO at GBG. “The combination of GBG and Acuant provides a step-change in this market, increasing scale, growing our customer base and introducing us to new and exciting sectors. As importantly, it also strengthens the breadth of our technology portfolio which we can use to support our current customers in new ways in growth geographies such as APAC and Europe where we already have a strong footprint.”

Earlier this year, Acuant announced the acquisition of UK-based identity verification and KYC solutions provider Hello Soda.

Related: TransUnion Acquires Identity Security Company Sontiq for $638 Million

Related: Mastercard Acquires Digital Identity Verification Firm Ekata for $850 Million

Related: CyberArk Acquires Identity as a Service Provider Idaptive for $70 Million

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:


SecurityWeek to Host Security Operations Summit as Virtual Event Dec. 8

Security Operations Summit

SecurityWeek will host its 2021 Security Operations Summit as a fully immersive virtual event on December 8, 2021.

In this exclusive SecurityWeek virtual event, defenders from the trenches will share use cases, best practices, insights for adopting tools and processes, and war stories to help make security operations centers (SOCs) more effective and efficient. 

Attendees can immerse themselves in a virtual environment to discuss the latest security operations trends and challenges and gain insights into strategies that can maximize the efficiency of enterprise SOCs Through a cutting-edge platform, attendees can interact with speakers and sponsors, and visit networking lounges, specific zones & sponsor booths. (Register now to join the virtual experience)

SecurityWeek’s Security Operations Summit will help address common security operations challenges and demonstrate how efficient workflow and collaboration can lead to improved decision making throughout the threat detection, analysis and incident response processes.

Topics and areas of discussion for the summit will include :

• Modernizing the Security Operations Center 

• Establishing Resilient Incident Response Plans

• Addressing the Cyber Skills Gap with Machine Learning and Artificial Intelligence

• Detection and Incident Response Use Cases

• OODA (Observe, Orient, Decide and Act) Loops for Security Teams

• Threat Intelligence and Supply Chain Considerations

• Optimizing Scarce Resources and Managing 

• Workflow to Detect and Respond to Threats Faster 

• Improving defenses using threat intelligence and information sharing 

• Managing Product Bake-offs, PoCs and Demos 

• Evaluating and Leveraging Solutions for Security Orchestration, Automation and Response (SOAR), Security Operations and Analytics Platform Architecture (SOAPA), Extended Detection and Response (XDR), and more


view counter

Previous Columns by SecurityWeek News:


North Korean Hacker Group Intensifies Espionage Campaigns

A North Korea-linked threat actor tracked as TA406 has intensified its attacks in 2021, particularly credential harvesting campaigns, Proofpoint reports.

The adversary, which security researchers also refer to as Kimsuky, Thallium, and Konni, has been targeting organizations in sectors such as education, government, media, and research, as well as other industries.

According to Proofpoint, TA406 aligns the most with Kimsuky activity, which the security firm tracks as three different threat actors, namely TA406, TA408 and TA427.

“Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor’s campaigns remained low in volume until the beginning of January 2021,” the company said.

During the first six months of the year, Proofpoint observed weekly attacks aimed at journalists, experts in foreign policy, and nongovernmental organizations (NGOs), especially those linked to activities that impact the Korean Peninsula. Academics and journalists were also targeted.

As part of a March 2021 campaign, TA406 targeted high-ranked elected officials at various governmental institutions, a consulting firm, defense institutions, law enforcement agencies, and economy and finance organizations. TA406 mainly focuses on targets in North America, China, and Russia.

Active since at least 2012, the adversary doesn’t typically employ malware in its attacks, but the espionage campaigns observed in 2021 were characterized by the use of both malware and credential harvesting.

Employed malware families include Amadey, Android Moez, BabyShark, CARROTBAT/CARROTBALL, FatBoy, KONNI, SANNY, and YoreKey. NavRAT and QuasarRAT also appear to have been used.

Just as other North Korean state-sponsored actors, TA406 has been engaged in financially-motivated attacks as well, including sextortion and in the targeting of cryptocurrency, the security researchers say.

“Proofpoint assesses with high confidence that TA406 operates on behalf of the North Korean government. […]Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” the security firm notes.

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Related: ‘World’s Leading Bank Robbers’: North Korea’s Hacker Army

Related: Here’s How North Korean Hackers Stole Data From Isolated Network Segment

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


US Indicts Iranians for Election Meddling

The US Justice Department announced indictments Thursday of two Iranians who allegedly took part in an online “disinformation and threat” campaign to influence American voters in the 2020 presidential election.

Mohammad Hosein Musa Kazemi, 24, and Sajjad Kashian, 27, conducted a cyber campaign “to intimidate and influence American voters, and otherwise undermine voter confidence and sow discord,” the department said.

In parallel, the US Treasury announced sanctions on the two men and three others who ran the cybersecurity company they worked for, Emennet Pasargad.

The Treasury said the company was formerly known as Net Peygard Samavat, which was hit with sanctions in 2019, and the Justice Department gave its former name as Eeleyanet Gostar.

Kazemi and Kashian allegedly obtained confidential voter information and sent menacing emails, pushing out false information to influence both Democratic and Republican voters, and attempting to hack into state voting-related websites, the department said.

In one case, they sent out mass emails claiming to be from the far-right Proud Boys militia group that threatened people to change political parties.

[ RelatedSupply Chain Security Fears Escalate as Iranian APTs Caught Hitting IT Services Sector ]

In another, they created and disseminated a video that purportedly showed a person hacking state voter websites and creating fraudulent ballots.

The indictment did not tie the two directly to the Iranian government, but noted that the company had done work for the government.

In 2019 the Treasury said Net Peygard Samavat worked with the Islamic Revolutionary Guard Corps.

[ RelatedMicrosoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense Tech Sectors ]

And in March 2021 US intelligence released a report that said the Iranian government was behind a multi-pronged influence campaign aimed at hurting former president Donald Trump’s reelection chances.

Kazemi and Kashian are charged in federal court in New York with conspiracy to commit computer fraud and abuse for trying to intimidate voters, voter intimidation, and transmission of interstate threats.

Kazemi was also charged with computer hacking and computer fraud. The penalties for the various charges run from one to 10 years in prison.

view counter

© AFP 2020

Previous Columns by AFP:


Supply Chain Security Fears Escalate as Iranian APTs Caught Hitting IT Services Sector

Fears of software supply chain attacks escalated again this week with a new warning from Microsoft that it has caught Iranian threat actors breaking into IT services shops in India and Israel and using that access to hit the real targets.

Two of Redmond’s premier threat hunting units  — the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) — are sounding the alarm for a series of intrusions at companies that sell business management and integration software to millions of global organizations.

Once inside the IT services organizations, Microsoft said the Iranian hackers are “extending their attacks to compromise downstream customers,” much like the SolarWinds supply chain mega-hack that snagged thousands of corporate victims globally.

Microsoft warned of a significant surge in these attacks — more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020 — and warned that downstream attacks are targeting organizations in the defense, energy, and legal sectors

“As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests,” Microsoft said in a report calling attention to the surge in these Iran-linked attacks.

[ READ: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation ]

In July 2021 this year, Microsoft said it caught a threat actor based in Iran that compromised a single Israel-based IT company that provides business management software.  Microsoft said the hacking group then used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel. 

A few months later, Redmond’s threat hunting teams caught  a separate Iranian group hacking into email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain government clients.

Microsoft surmises that the downstream Bahrain government clients “were likely the ultimate target” and warned that the group has also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors.

The hacking group maintained persistence at the Bahrain IT integration organization from September through at least October.

[ READ: Microsoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense ]

Microsoft said credential theft from the original compromises of IT services companies are used in the downstream attacks.  [The Iranian attackers] dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” Microsoft explained.

The company said at least four of those victims were compromised using the acquired credentials and access from the IT company in the July and August attacks. 

Redmond’s telemetry has picked up a major surge in these and other Iranian groups targeting IT companies based in India beginning in mid-August. From mid-August to late September, Microsoft said it issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies.   

Over the three previous years, Microsoft barely issued 10 such notifications in response to Iranian hacking activity and because there are no obvious geo-political reasons for the India targeting, the company believes the Indian IT shops are being used “for indirect access to subsidiaries and clients outside India.”

Related: Microsoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation

Related: Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyber Attack 

Related: New Code Execution Flaws In Solarwinds Orion Platform

view counter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends.
Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine: