Update: Google has killed six fake antivirus Android apps caught spreading SharkBot malware.
A nasty new Android banking Trojan called SharkBot has been spotted by security researchers, and it's already targeting banks in the United Kingdom and Italy and cryptocurrency apps in the United States.
Like many mobile banking Trojans, said researchers at Italian fraud detection firm Cleafy (opens in new tab) in a report last week, SharkBot has the ability to intercept text messages to snag two-factor-authentication codes, to put overlays over real banking apps so that users enter passwords into the wrong app, and to log keystrokes.
But SharkBot also does something special. Once it has your account info, it can launch electronic money transfers right from the phone without having to get authorization from the bank or triggering anti-fraud safeguards.
"Mobile malwares are quickly finding new ways to perform fraud, trying to bypass behavioural detection countermeasures put in place by multiple banks and financial services during the last years," the Cleafy report said.
SharkBot masquerades as media-player or utility apps, which as soon as they are installed ask the user to grant Android accessibility services that are meant to aid people with hearing or vision disabilities but in fact give the apps near-total control of the device. And because it's fairly new malware that, according to Clearfy, seems to have been written from scratch, it isn't yet detected by many of the best Android antivirus apps.
The upside is that SharkBot is not (yet) in the Google Play app store, so as long as you stick to that and don't enable the installation of apps from "unknown services," you'll probably be safe.
As for which banks and cryptocurrency apps SharkBot is targeting, Clearfy didn't provide a list of names — just that 14 U.K. banks, eight Italian ones and five U.S. cryptocurrency apps were in SharkBot's sights. But the malware seems to be still under development, so more financial institutions may soon be added to the target list.