Security Experts:

Connect with us

Hi, what are you looking for?



SharkBot Android Malware Continues Popping Up on Google Play

Over the past couple of months, security researchers identified several applications in Google Play that were designed to download the SharkBot Android trojan.

Over the past couple of months, security researchers identified several applications in Google Play that were designed to download the SharkBot Android trojan.

SharkBot was initially detailed in November 2021, when it was only being distributed through third-party application stores. The threat was mainly focused on initiating unauthorized money transfers via Automatic Transfer Systems (ATS) by auto-filling fields in legitimate applications.

In early March, NCC Group reported that several SharkBot droppers had made their way into Google Play, all of which showed identical code and behavior.

The first SharkBot dropper found in Google Play was posing as an antivirus application. It was identified as a downgraded version of the trojan containing only minimum features, but capable of fetching and installing the full version at a later date.

NCC Group also discovered that the threat was abusing the ‘Direct Reply‘ Android feature – where reply notifications are automatically sent – to deliver a message to download the fake antivirus application. The same strategy was previously used by the Flubot Android malware.

Around the same time that NCC Group published their research on the Android trojan, Check Point found four SharkBot droppers in Google Play and reported them to Google. They were disguised as security and optimization apps, and were removed from the official app store on March 9.

[ READ: New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets ]

Over the next several weeks, however, the researchers observed continued attempts from the trojan’s developers to have a dropper published in Google Play. At least two of them were removed the same day they were submitted, before anyone could download them.

Check Point says it discovered a total of six droppers in Google Play, published from developer accounts that were active in the fall of 2021, and which had some of their applications removed from the store. The removed apps, Check Point says, had been installed roughly 15,000 times.

Once installed on an Android device, SharkBot requests permissions that allow it to control the device, luring the user into granting it access to the Android Accessibility feature. This allows it not only to perform illicit money transfers, but also to steal user credentials by displaying fake login windows.

“What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials,” NCC Group notes.

The threat also uses geofencing – it ignores users from Belarus, China, India, Romania, Russia, and Ukraine – and a domain generation algorithm (DGA), with roughly 56 domains created each week. The researchers also identified eight IP addresses that the trojan used for command and control (C&C).

Related: ‘Xenomorph’ Android Trojan Targets 56 Banking Applications

Related: Over 100 Million Android Users Installed ‘Dark Herring’ Scamware

Related: Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.