Skip to content

S1055 SharkBot

SharkBot is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.1

Item Value
ID S1055
Associated Names
Version 1.0
Created 18 January 2023
Last Modified 28 February 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1517 Access Notifications SharkBot can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.1
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols SharkBot can use HTTP to send C2 messages to infected devices.1
mobile T1407 Download New Code at Runtime SharkBot can use the Android “Direct Reply” feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.1
mobile T1637 Dynamic Resolution -
mobile T1637.001 Domain Generation Algorithms SharkBot contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.1
mobile T1521 Encrypted Channel -
mobile T1521.001 Symmetric Cryptography SharkBot can use RC4 to encrypt C2 payloads.1
mobile T1521.002 Asymmetric Cryptography SharkBot has used RSA to encrypt the symmetric encryption key used for C2 messages.1
mobile T1646 Exfiltration Over C2 Channel SharkBot can exfiltrate captured user credentials and event logs back to the C2 server. 1
mobile T1630 Indicator Removal on Host -
mobile T1630.001 Uninstall Malicious Application SharkBot has C2 commands that can uninstall the app from the infected device.1
mobile T1544 Ingress Tool Transfer SharkBot can download attacker-specified files.1
mobile T1417 Input Capture -
mobile T1417.001 Keylogging SharkBot can use accessibility event logging to steal data in text fields.1
mobile T1417.002 GUI Input Capture SharkBot can use a WebView with a fake log in site to capture banking credentials.1
mobile T1516 Input Injection SharkBot can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.1
mobile T1406 Obfuscated Files or Information SharkBot can use a Domain Generation Algorithm to decode the C2 server location.1
mobile T1644 Out of Band Data SharkBot can use the “Direct Reply” feature of Android to automatically reply to notifications with a message provided by C2.1
mobile T1424 Process Discovery SharkBot can use Accessibility Services to detect which process is in the foreground.1
mobile T1636 Protected User Data -
mobile T1636.004 SMS Messages SharkBot can intercept SMS messages.1
mobile T1582 SMS Control SharkBot can hide and send SMS messages. SharkBot can also change which application is the device’s default SMS handler.1