Security Experts:

Connect with us

Hi, what are you looking for?



SharkBot Android Malware Continues Popping Up on Google Play

Over the past couple of months, security researchers identified several applications in Google Play that were designed to download the SharkBot Android trojan.

Over the past couple of months, security researchers identified several applications in Google Play that were designed to download the SharkBot Android trojan.

SharkBot was initially detailed in November 2021, when it was only being distributed through third-party application stores. The threat was mainly focused on initiating unauthorized money transfers via Automatic Transfer Systems (ATS) by auto-filling fields in legitimate applications.

In early March, NCC Group reported that several SharkBot droppers had made their way into Google Play, all of which showed identical code and behavior.

The first SharkBot dropper found in Google Play was posing as an antivirus application. It was identified as a downgraded version of the trojan containing only minimum features, but capable of fetching and installing the full version at a later date.

NCC Group also discovered that the threat was abusing the ‘Direct Reply‘ Android feature – where reply notifications are automatically sent – to deliver a message to download the fake antivirus application. The same strategy was previously used by the Flubot Android malware.

Around the same time that NCC Group published their research on the Android trojan, Check Point found four SharkBot droppers in Google Play and reported them to Google. They were disguised as security and optimization apps, and were removed from the official app store on March 9.

[ READ: New ‘SharkBot’ Android Banking Malware Hitting U.S., UK and Italy Targets ]

Over the next several weeks, however, the researchers observed continued attempts from the trojan’s developers to have a dropper published in Google Play. At least two of them were removed the same day they were submitted, before anyone could download them.

Check Point says it discovered a total of six droppers in Google Play, published from developer accounts that were active in the fall of 2021, and which had some of their applications removed from the store. The removed apps, Check Point says, had been installed roughly 15,000 times.

Once installed on an Android device, SharkBot requests permissions that allow it to control the device, luring the user into granting it access to the Android Accessibility feature. This allows it not only to perform illicit money transfers, but also to steal user credentials by displaying fake login windows.

“What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials,” NCC Group notes.

The threat also uses geofencing – it ignores users from Belarus, China, India, Romania, Russia, and Ukraine – and a domain generation algorithm (DGA), with roughly 56 domains created each week. The researchers also identified eight IP addresses that the trojan used for command and control (C&C).

Related: ‘Xenomorph’ Android Trojan Targets 56 Banking Applications

Related: Over 100 Million Android Users Installed ‘Dark Herring’ Scamware

Related: Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.