Nasty new Android malware cleaning out bank and crypto accounts

Android malware botnet attack
(Image credit: Shutterstock)

Update: Google has killed six fake antivirus Android apps caught spreading SharkBot malware

A nasty new Android banking Trojan called SharkBot has been spotted by security researchers, and it's already targeting banks in the United Kingdom and Italy and cryptocurrency apps in the United States.

Like many mobile banking Trojans, said researchers at Italian fraud detection firm Cleafy  in a report last week, SharkBot has the ability to intercept text messages to snag two-factor-authentication codes, to put overlays over real banking apps so that users enter passwords into the wrong app, and to log keystrokes. 

But SharkBot also does something special. Once it has your account info, it can launch electronic money transfers right from the phone without having to get authorization from the bank or triggering anti-fraud safeguards. 

"Mobile malwares are quickly finding new ways to perform fraud, trying to bypass behavioural detection countermeasures put in place by multiple banks and financial services during the last years," the Cleafy report said.

Once it has your account info, SharkBot can launch electronic money transfers right from the phone without having to get authorization from the bank

SharkBot masquerades as media-player or utility apps, which as soon as they are installed ask the user to grant Android accessibility services that are meant to aid people with hearing or vision disabilities but in fact give the apps near-total control of the device. And because it's fairly new malware that, according to Clearfy, seems to have been written from scratch, it isn't yet detected by many of the best Android antivirus apps.

The upside is that SharkBot is not (yet) in the Google Play app store, so as long as you stick to that and don't enable the installation of apps from "unknown services," you'll probably be safe. 

As for which banks and cryptocurrency apps SharkBot is targeting, Clearfy didn't provide a list of names — just that 14 U.K. banks, eight Italian ones and five U.S. cryptocurrency apps were in SharkBot's sights. But the malware seems to be still under development, so more financial institutions may soon be added to the target list.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.