{
	"id": "c2e5c2cc-8889-4e49-9966-961ec4f9b00e",
	"created_at": "2026-04-10T03:21:27.599125Z",
	"updated_at": "2026-04-10T03:22:17.567339Z",
	"deleted_at": null,
	"sha1_hash": "281bf4effc25e62ab441de29acaa7f9d77e52c0c",
	"title": "Google is on guard: sharks shall not pass!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 155245,
	"plain_text": "Google is on guard: sharks shall not pass!\r\nBy alexandrsh\r\nPublished: 2022-04-07 · Archived: 2026-04-10 03:02:34 UTC\r\nResearch by: Alex Shamshur, Raman Ladutska\r\nIntroduction\r\nWhen you search for Anti-Virus (AV) solutions to protect your mobile devices, you don’t expect these solutions\r\nto do the opposite i.e. make devices vulnerable to malware.\r\nThis what the Check Point Research (CPR) team encountered while analyzing suspicious applications found in\r\nGoogle Play. These applications pretended to be genuine AV solutions while in reality they downloaded and\r\ninstalled an Android Stealer called Sharkbot.\r\nSharkbot steals credentials and banking information. The malware implements a geofencing feature and evasion\r\ntechniques that makes it stand out in the field. It also makes use of Domain Generation Algorithm (DGA), an\r\naspect rarely used in the world of Android malware. Sharkbot lures victims to enter their credentials in windows\r\nthat mimic benign credential input forms. When the user enters credentials in these windows, the compromised\r\ndata is sent to a malicious server.\r\nSharkbot has a handful of tricks up its sleeve. It doesn’t target every potential victim it encounters, but only select\r\nones, using the geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or\r\nBelarus.\r\nFigure 1 -Geofencing feature as implemented in Sharkbot.\r\nEvasion techniques are also a part of Sharkbot’s arsenal. If the malware detects it is running in a sandbox, it stops\r\nthe execution and quits.\r\nFigure 2 – Evasion technique encountered in Sharkbot.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 1 of 33\n\nIn the Google Play store, we spotted a total of six different applications that were spreading Sharkbot.\r\nFigure 3 – Icons and names of the applications we found.\r\nThese six applications came from three developer accounts, Zbynek Adamcik , Adelmio Pagnotto and Bingo\r\nLike Inc . When we checked the history of these accounts, we saw that two of them were active in the fall of\r\n2021. Some of the applications linked to these accounts were removed from Google Play, but still exist in\r\nunofficial markets. This could mean that the actor behind the applications is trying to stay under the radar while\r\nstill involved in malicious activity.\r\nThe applications removed from Google Play were downloaded and installed approximately 15 thousand times.\r\nFollowing information we got from www.appbrain.com.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 2 of 33\n\nFigure 4 – Statistics of the developers’ accounts. Unpublished applications are outlined.\r\nAfter spotting the applications that spread Sharkbot, we immediately contacted Google and reported our findings.\r\nAfter a fast yet thorough examination, all the applications that were found spreading Sharkbot were permanently\r\nremoved from the Google Play store.\r\nHowever, the Sharkbot malware is still active. In this article, we provide a deep technical analysis of Sharkbot and\r\nreveal the steps that helped us to spot the malware-spreading applications on Google Play.\r\nTimeline\r\nFebruary 25, 2022 – We discovered 4 applications of SharkBot Dropper on Google Play.\r\nMarch 03, 2022 – We reported Google about found applications.\r\nMarch 03, 2022 – NCC Group published their research on Sharkbot Dropper.\r\nMarch 09, 2022 – Reported applications removed from Google Play.\r\nMarch 15, 2022 – One more SharkBot dropper discovered on Google Play, 0+ installs. Same day we\r\nreported this application to Google.\r\nMarch 22, 2022 – One more SharkBot dropper discovered on Google Play, 0+ installs. Same day we\r\nreported this application to Google.\r\nMarch 27, 2022 – newly found SharkBot dropper’s removed from Google Play.\r\nTechnical analysis\r\nWe already mentioned that Sharkbot implements evasion techniques and a geofencing feature, but these are not its\r\nonly noteworthy tricks. Another distinctive aspect present in Sharkbot is the use of DGA, which is rarely seen in\r\nAndroid malware. With DGA, one sample with a hardcoded seed generates 7 domains per week. Including all the\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 3 of 33\n\nseeds and algorithms we have observed, there is a total of 56 domains per week, i.e., 8 different combinations of\r\nseed/algorithm.\r\nSpeaking of its main functionality, Sharkbot implements the traditional toolkit for Android bankers and stealers.\r\nAs a vivid example, we saw the abuse of the Accessibility Service which provides the application with access to\r\nall the data which is seen by the user and also allows the application to interact with an interface as though as it\r\nwere a person.\r\nDuring our observations, 27 versions of the bot were discovered. The main differences between the versions are\r\ndifferent DGA seeds as well as different botnetID and ownerID fields. For more information on the different\r\nversions and a change log, see the Appendix.\r\nCommands\r\nThe Sharkbot malware implements a total of 22 commands that allow various kinds of malicious actions to be\r\nexecuted by a Command-and-Control server (CnC) on the infected device.\r\nThis table shows the commands used and their descriptions:\r\n№ Command Description\r\n1 smsSend Requests permission for sending SMS.\r\n2 updateLib Downloads and stores a jar file with java code.\r\n3 updateSQL Updates a given option in local DB.\r\n4 updateConfig Updates the different options.\r\n5 uninstallApp Uninstalls a given application.\r\n6 collectContacts Sends the contacts list to the server.\r\n7 changeSmsAdmin For the user to change the default SMS manager.\r\n8 getDoze\r\nDisables the battery optimization, so Sharkbot can run in\r\nbackground\r\n9 sendInject Creates the “Injection” window from a given URL.\r\n10 iWantA11 For the user to enable Sharkbot as Accessibility Service.\r\n11 updateTimeKnock Updates the “TIME_KNOCK_ADMIN” option.\r\n12 sendPush Displays a PUSH-notification for the user.\r\n13 APP_STOP_VIEW Prevents the user from activating the application.\r\n14 Swipe Imitate the user’s swipe over the device’s screen.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 4 of 33\n\n15 autoReply Sets up an autoreply message  on Push-notifications.\r\n16 removeApp Silently uninstalls a given application.\r\n17 serviceSMS\r\nSends SMS messages to the provided phone numbers with a\r\nprovided text.\r\n18 getNotify\r\nTurns on Notification Listener permission for the Sharkbot\r\napplication.\r\n19 localATS Starts given applications and logs all Accessibility Events.\r\n20 sendSMS Sends an SMS with given text to a given number.\r\n21 downloadFile\r\nDownloads a file from provided URL and stores it locally with an\r\nAPK extension.\r\n22 stopAll\r\nA command is transferred to the jar-file, dropped with the\r\nupdateLib command.\r\nIf unknown command arrives from server, then this command is sent to jar-file, dropped with updateLib\r\ncommand.\r\nBelow we provide a more detailed description of the commands supported by the malware.\r\nsmsSend\r\nChecks if permission for sending SMSs is granted. If not, then the user is asked to grant permission to send and\r\nread SMSs.\r\nupdateLib\r\nWith this command, the CnC sends code for overlay injects for the user’s applications. The code is saved to a local\r\njar-file. We named this module jarMod. The CnC can send commands to jarMod, including updateConfig,\r\nchangeSmsAdmin and any uncategorized command.\r\nFigure 5 – Code block of executable dropper.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 5 of 33\n\nupdateSQL\r\nSharkbot stores local configuration in an SQLite DB (database) in the file database.db or sharked.db located\r\nat the path /data/data/\u003cpackage_name\u003e/databases/ . Values in the DB are stored in encrypted form.\r\nFigure 6 – Example of a local database.\r\nWith the help of the updateSQL command values in the database can be updated.\r\nupdateConfig\r\nWith this command, the CnC address and the name of the application for injection can be updated:\r\nFigure 7 – Storing new configuration.\r\nuninstallApp\r\nUninstalls the application with the provided package name:\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 6 of 33\n\nFigure 8 – Uninstalling an application.\r\ncollectContacts\r\nCollects and sends contacts to the server.\r\nchangeSmsAdmin\r\nSends the name of old and currently default SMS applications to the CnC, and sends a command to the previously\r\ndownloaded jar code (see updateLib command).\r\nFigure 9 – Handler of the changeSmsAdmin command.\r\ngetDoze\r\nUsed to disable battery optimization for Sharkbot’s package.\r\nFigure 10 – Disabling battery optimization for the Sharkbot application.\r\nsendInject\r\nPerforms overlay inject with a form from a provided URL.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 7 of 33\n\nFigure 11 – Performing inject.\r\niWantA11\r\nUsed to enable the Accessibility Service for Sharkbot:\r\nFigure 12 – To enable the Accessibility Service for Sharkbot.\r\nupdateTimeKnock\r\nSet the field “TIME_KNOCK_ADMIN” in the local DB to the provided value.\r\nFigure 13 – Updating knock time.\r\nsendPush\r\nShows the user a push message with provided text.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 8 of 33\n\nFigure 14 – Code to show a push-message to the user.\r\nAPP_STOP_VIEW\r\nWith this command, the CnC sets up package names for which the Accessibility Service prevents the user from\r\naccessing these applications:\r\nFigure 15 – Prevent the user from accessing an application.\r\nBy default, 2 package names are used: com.android.settings and com.samsung.accessibility\r\nFigure 16 – Default applications to prevent access.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 9 of 33\n\nSwipe\r\nWith this command Sharkbot can imitate the user’s swipe over the device’s screen:\r\nFigure 17 – Emulating swipe sequences.\r\nThis appears as if it was designed to unlock an application or the whole device.\r\nautoReply\r\nThis is not an actual command, but a field in the updateConfig command. With the autoReply field, the server\r\nsends a message to imitate an answer on push events. The command consists of an array with two fields in each\r\nelement of the array:\r\nFigure 18 – Example of the autoReply field.\r\nIt is possible to set different messages for each application. On Figure 18, you can see messages for two different\r\napplications: WhatsApp messenger and Facebook messenger.\r\nIn Figure 18, we caught the test period for the development of the autoreply feature. We can say that because both\r\nmessages target www.google.com.\r\nYou can also use one message for all notifications. Here is a variant from the production usage:\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 10 of 33\n\nFigure 19 – One message for all notifications.\r\nremoveApp\r\nThis is not a command, but a field of the updateConfig command. With the removeApp command, the server\r\nsends a huge list of applications which should be uninstalled from the user’s device. At present, this list contains\r\n680 applications.\r\nFigure 20 – Uninstalling applications.\r\nNetwork\r\nThere are very few types of malware that can work without communicating with a CnC server; stealers and\r\nbankers are the ones which can’t. If a malware operator has several servers, then it’s easy to block access to them\r\neither by a corporate firewall, or with the AV software installed on the device. After the CnCs are blocked, an\r\noperator can change the domain name of the CnC server but how are already installed clients supposed to learn\r\nabout the server change? This is where Domain Generation Algorithm enters the scene.\r\nDGA is an algorithm by which a malicious client and malicious actor can change the CnC server in concert,\r\nwithout any communication. DGA is a piece of code which runs on a client and generates dynamic names for the\r\nCnC server, so if today one CnC server is blocked then within a day, a week or a month, a new name for the CnC\r\nwill be generated and used. This algorithm complicates the process of blocking malware operators’ servers.\r\nUsually DGA consists of two parts: the actual algorithm, and the constants used by the algorithm. These constants\r\nare called DGA seeds.\r\nAs we mentioned earlier, implementing DGA is rarely observed in Android malware, but Sharkbot is an exception.\r\nBefore the connection to the DGA domains is made, Sharkbot attempts to connect to the static URL hardcoded\r\ninside:\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 11 of 33\n\nFigure 21 – Static CnC URL.\r\nOnly if the static server does not respond, Sharkbot uses an embedded DGA procedure to get relevant domains for\r\nthe current date and then attempts to connect to them one by one:\r\nFigure 22 – DGA code.\r\nThe final string for DGA consists of several fields:\r\nCurrent year (using since 02.09.2022)\r\nCurrent week number\r\nseed-word\r\nKey pojBI9LHGFdfgegjjsJ99hvVGHVOjhksdf\r\nWe noticed that the seed-word is changed across samples. We caught the following variants:\r\n“sharked”\r\n“traff”\r\n“jarmi”\r\n“” (no word)\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 12 of 33\n\nFigure 23 – Using seeds in domain name generation.\r\nProtocol\r\nThe exchange with the CnC server happens over HTTP with POST request on path /. Each request and answer is\r\nencrypted with RC4. The key for RC4 is transferred encrypted with the RSA public key. The request consists of 2\r\nfields:\r\nrkey: Used to transfer the RC4 encryption key. The key is encrypted with the RSA public key.\r\nrdata: Used for data, encrypted with RC4.\r\nFigure 24 – RAW request to the server.\r\nThe answer consists of the encrypted data only.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 13 of 33\n\nFigure 25 – RAW answer from the server.\r\nIn a clean view protocol you can find the JSON data. The bot acts as a client, and the CnC acts as a server. A\r\ntypical request from the bot looks like this:\r\nFigure 26 – Clear request to the server.\r\nWhen a server has no commands to send, it answers with “ok”:\r\nFigure 27 – Server answer without command.\r\nWhen a server has commands for the bot, the answer looks like this:\r\nFigure 28 – Server answer with command.\r\nThese are the fields in the answer:\r\ndataCommand : Type of packet.\r\ncommand : Type of command.\r\nCommandID : We observed this field is increased by one for every command, and is sent by the server.\r\ndata : Command data, whose contents depend on the type of command.\r\nKeep alive\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 14 of 33\n\nPeriodically, with a fixed period of time, the bot sends a knock-packet to the server. By default, this packet is sent\r\nevery 30 seconds. The server can change the time period  with the command updateTimeKnock . Here is how a\r\nknock-packet looks :\r\nFigure 29 – Keep-alive packet.\r\nThe value for a knock field is chosen at random:\r\nFigure 30 – Choosing the knock value.\r\nInfrastructure\r\nAt the time of publication, we counted 8 IP addresses which were Sharkbot’s CnC servers at different times.\r\nDuring our research of the infrastructure, we spotted a field commandID in some answers from the server. This\r\nfield is used to identify each command sent from the server to the client.\r\nAfter more detailed analysis, we can assume that this field is increased by one for each command sent from the\r\nserver. During our experiments, we noticed that this value does not depend on the particular CnC server but\r\ninstead is a common value for all of them.\r\nHere are the logs of the requests and response exchange with different servers on January 25, 2022, one after the\r\nother:\r\nServer mnbvakjjouxir0zkzmd[.]xyz with IP 31[.]214.157.112 :\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 15 of 33\n\nFigure 31 – Request to the server, at 15:45:12.487.\r\nFigure 32 – Answer from the server, at 15:45:13.80.\r\nServer mjaynxbvakjjouxir0z[.]xyz with IP 109[.]230.199.99 :\r\nFigure 33 – Request to the server, at 15:48:06.448.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 16 of 33\n\nFigure 34  – Answer from the server, at 15:48:07.45.\r\nAs you can see, the value of commandID changed by exactly one. From this we can assume even more:\r\nThere is one real server, and the others work as relays.\r\nWe can use the values of the field commandID to evaluate the activity of the server sending commands to\r\nclients.\r\nUsing the value of the commandID field, we can estimate the activity of Sharkbot’s servers. We calculated an\r\naverage increase of the commandID value per hour for the period from January 26 to March 23 and got the\r\nfollowing result:\r\nFigure 35 – Sharkbot server activity.\r\nWe can see that activity increased, with the peak at the beginning of March. This correlates with the active use of\r\nSharkbot’s dropper on Google Play.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 17 of 33\n\nThe following chart shows the number of unique IP addresses encountered in the period from February 14 to\r\nFebruary 20:\r\nBlue bars denote the count of unique IP addresses per day.\r\nRed bars denote the count of unique IP addresses, excluding the ones already seen in the previous days.\r\nFigure 36 – Unique IP addressed statistics observed in the middle of February.\r\nDuring our observation for this particular week in February, we saw approximately one thousand unique IP\r\naddresses in total.\r\nThe following chart shows the location-based statistics. The main targets are Italy and the United Kingdom.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 18 of 33\n\nFigure 37 – Regional statistics.\r\nDroppers\r\nNow that we described different aspects of Sharkbot, to complete the picture, we discuss the methods by which\r\nSharkbot spreads. As mentioned at the beginning, the malware is downloaded and installed by the dropper\r\napplications in Google Play which masquerade as AV solutions. These are the applications:\r\ncom.abbondioendrizzi.tools.supercleaner\r\ncom.abbondioendrizzi.antivirus.supercleaner\r\ncom.pagnotto28.sellsourcecode.alpha\r\ncom.pagnotto28.sellsourcecode.supercleaner\r\ncom.antivirus.centersecurity.freeforall\r\ncom.centersecurity.android.cleaner\r\nThey have some additional tricks.\r\nThe droppers detect emulators and quit if one is found. No communications with CnC are started in this case:\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 19 of 33\n\nFigure 38 – Emulation evasion and region restrict code.\r\nThere is also a geofencing technique implemented inside the droppers, as can be seen in the image above. The\r\nmalicious part of the applications is not triggered if the locale is set to China, India, Romania, Russia, Ukraine or\r\nBelarus.\r\nThe part of the application controlled by the CnC server understands 3 commands:\r\nb: Download and install the APK file from the provided URL.\r\nc: Store the autoReply field in a local session.\r\nd: Restart the execution of the local session.\r\nAll of these applications request the same set of permissions:\r\nFigure 39 – Permissions.\r\nThe applications register the service to get access to Accessibility Events:\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 20 of 33\n\nFigure 40 – Accessibility Service description.\r\nBelow we describe the key parts of the malicious code in the applications.\r\nAccessibility Service\r\nWith this command from the CnC, an application can abuse the Accessibility Service for its own needs. The\r\nAccessibility Service is able to execute different “tasks”, which are extracted from the Intent:\r\nFigure 41 – Setting up the Accessibility Service “task.”\r\n This “task” is later used in the event’s dispatcher. For example:\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 21 of 33\n\nFigure 42 – Accessibility Service “task” dispatching.\r\nThe “task” describes which actions should be performed for particular events. For example, the default “task”\r\nlooks like this:\r\nFigure 43 – Accessibility Service “task” by default.\r\nThis “task” instructs the Accessibility dispatcher to perform a CLICK on a node, which contains a text Alfa\r\nAntivirus, Cleaner .\r\nThe Accessibility dispatcher supports the following actions:\r\nCLICK: Performs click-action, on a chosen control.\r\nSCROLL_BACKWARD: Performs back-action, on a chosen control.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 22 of 33\n\nintent: Performs permission request for: android.settings.MANAGE_UNKNOWN_APP_SOURCES or\r\nandroid.settings.action.MANAGE_OVERLAY_PERMISSION\r\nDuring the execution of a given “task”, every event is sent to the CnC:\r\nFigure 44 – Sending an Accessibility event to the CnC server.\r\nAPK install\r\nThe malware can drop and install the APK file on the user’s device:\r\nFigure 45 – Code to install the application.\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 23 of 33\n\nFigure 46 – Code to drop the application.\r\nNotifications\r\nThe stored field autoReply works the same way as autoReply for Sharkbot, as described earlier. Malware\r\nanswers with a message provided by the CnC to application, which generates a push notification.\r\nDropper Summary\r\nAs we can judge by the functionality of the droppers, their possibilities clearly pose a threat by themselves,\r\nbeyond just dropping the malware. The droppers are able to inspect and act on all the UI events of the device as\r\nwell as replace notifications sent by other applications. In addition, they can install an APK downloaded from the\r\nCnC, which provides a convenient starting point to spread the malware as soon as the user installs such an\r\napplication on the device.\r\nConclusion\r\nIn the ever-changing contemporary (cyber-)world, nothing should be taken for granted. If a new AV solution\r\nappears in Google Play today, there’s no way to guarantee it won’t turn out to be a malware spreading threat\r\ntomorrow. This is the exact case we observed with the Sharkbot malware.\r\nIn this spreading scheme, the malware itself is not uploaded to Google Play but rather the intermediate link is,\r\nwhich masquerades as a legitimate software. As we can see by more than 15,000 installations for all the\r\napplications in total, people can be lured by a beautiful icon and a promise to “protect their devices.”\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 24 of 33\n\nThe Check Point Research Team is constantly monitoring this and other threats in the mobile landscape, and we\r\nimmediately notified Google of the malicious behavior we encountered. Despite a fast response from Google,\r\nwhich removed applications linked to threat actor accounts, more attempts were made in Google Play with more\r\ndroppers from different accounts. They were all subsequently removed as well, but the damage from 15,000\r\nthousand installations was already done.\r\nGoogle Play Protect’s solid reputation should not decrease user awareness that threat actors are constantly\r\nevolving their malware and looking for new schemes to execute this malware on victims’ devices. Our advice to\r\nAndroid users:\r\nInstall applications only from trusted and verified publishers.\r\nIf you see an application from a new publisher, search for analogs from a trusted one.\r\nReport to Google any seemingly suspicious applications you encounter.\r\nProtections\r\nCheck Point’s Harmony Mobile Prevents malware from infiltrating mobile devices by detecting and blocking the\r\ndownload of malicious apps in real-time. Harmony Mobile’s unique network security infrastructure – On-device\r\nNetwork Protection – allows you to stay ahead of emerging threats by extending Check Point’s industry-leading\r\nnetwork security technologies to mobile devices.\r\nThreat Emulation protections:\r\nSharkbot.TC.*\r\nIOCs\r\nHashes and package names\r\nSharkbot dropper\r\nPackage names:\r\ncom.antivirus.centersecurity.freeforall\r\ncom.centersecurity.android.cleaner\r\ncom.pagnotto28.sellsourcecode.supercleaner\r\ncom.pagnotto28.sellsourcecode.alpha\r\ncom.abbondioendrizzi.tools.supercleaner\r\ncom.abbondioendrizzi.antivirus.supercleaner\r\nHashes:\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 25 of 33\n\nd4ba0965018aab23f02308a558e914b5ef3d03a4c90989abafd6555a9b89bf09\r\n2c5b40ab7b1f05bc00a07f7bdcaa15920031aa4a3158c23488446076980d4e0a\r\n7f55dddcfad05403f71580ec2e5acafdc8c9555e72f724eb1f9e37bf09b8cc0c\r\nfe1b3b43579f34fbd78b1100d51601500d7eebae74d6ef6e783aae9ac4168c83\r\ne5b96e80935ca83bbe895f6239eabca1337dc575a066bb6ae2b56faacd29ddaa\r\n3ae682895af9504d3ee66ca9508066cd46d9679316bc06d206d6fae4cba56244\r\n71c78101f7792fe879a082e323fed89c5e4a43132d01d3f79ed02afd8db45497\r\nd70a716fa7d20e01a05f753cb4d4a2150b133b12e73bdfbfe8b85eb61bc9ac43\r\n187b9f5de09d82d2afbad9e139600617685095c26c4304aaf67a440338e0a9b6\r\n35662d2e0c7f15b75b3b48311dae88e38929336cb43dd93df03b58c6221bc3db\r\n20e8688726e843e9119b33be88ef642cb646f1163dce4109b8b8a2c792b5f9fc\r\n4f6d798790d0322e365cd6901f1bb77975974a0f5b9bb5ac79abf05ffded3699\r\n8f6875af2c7c6a75c3614fa95802e56bda4ee817646887b376e9fa8c0efad0bf\r\n8587fe68f6a0cfe339c3e7947f52d8921c2e68f673165a624ddb203a184291fd\r\nc07ec33a4e4533dc445c5e71d3fc3fea8d448844a2541fe91b014f85f677939c\r\n748368c90f214069c12bc8947f07adc27c9531aa70505a5f146ddd0e300bebd4\r\nc6cc90ed003a0acb501a2d805c16c6b0380ac510392642dc774c3a686cb028ee\r\nc4a0901e140f3d253f8a6ddbd91d754d098450f5639b48defe7fa73c41b92737\r\nSharkbot\r\nHash Version\r\nc9fe0ecacd2046506b6330ae052171e1ba7709ecf5212cd84b95c1a2e7c2e22a 1.12.0\r\n0324493329de0e0d90b93e1515ba6bdd1616d92dcdefd6956b169b18dd2955d0 1.18.0\r\n03b65bd943fd499a076b8e5032dda729c2086642c313d228462fcb7caeadc10b 1.18.0\r\n10dac61e734578db38a6f28e4740edf55b3c20129c4d016c3f9d2520f39dc37b 1.18.0\r\n2a3554231a454092319014eaa86bcd4cccaa621a21cc1db4ec4a4670a1b5dde7 1.18.0\r\n57f8a57320eeed2f5b5a316d67319191ce717cc51384318966b61f95722e275f 1.18.0\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 26 of 33\n\n5806e7209ca645de8ff2e1afeca06e2819ecdb4905c3063156b8584a54637bb9 1.18.0\r\n84baa47fccbb8444ca41a9b4deb5117174b82f0a834d2ed603428a9ce96f1034 1.18.0\r\n966c64504b9c0899846c6c2011decca0c540707536f8f4da2bee000b65be431c 1.18.0\r\na8ab9045a6bc10e0b1148dc8c4b7dc087ca5f5d2ad6bff7bc2dab540bee8e634 1.18.0\r\naa627b6a4558305ab581991bb5a6f576963e40cda91321165967041d8d175194 1.18.0\r\nc25c14c7204a33ff91f456217f123adcdd507e45a85ea5d47fec56deb4616861 1.18.0\r\nd07cbb4ba88d815d3ecd23e6da699a4603029aa875b706090dba17db50d2d182 1.18.0\r\nd389e62433111fccb61d25a0b0f3dc44f0ece11121fd6e42afe633edb14e113a 1.18.0\r\n02a3e0a3d922423dbf5028bc27ea623d8d0f3cd93521bf5bb3b6667dede16fbd 1.26.0\r\n0a5c3a3b6bc50bd48613a4f516e6d6158a000250ce049dc3fa6ddd02ed52db11 1.26.0\r\naaba87e288a8f07f3b61099998b0ab4e0269450c0f6572c48b041bc983159457 1.26.0\r\nfb7e8cd53038cefe3bb07043d5fc3cc48c6c1de67d563da1ed56cd0fa360c526 1.26.0\r\n2de6a4c5891a601b2d5b8c81af182738c7cec32804b64d7f9026fb03f3a55d8e 1.27.0\r\n37bacbe023d67ed990e5e5bdd2497878e0642b46a30e169f25313054d0e64121 1.27.0\r\nbee3fc6b875e49edaa983ef9d38d0bcafe82abca82e684ef4fdca6df0c695c8b 1.27.0\r\ndbb5e5d553f402d7afd55dd177b1e740d289f65108e3a4e91cc2bad33f2f0327 1.27.0\r\nf5bc9b344ee9edf37a24e77a66b8430b7a4636c5475e404c06370eaa7e94cd8b 1.27.0\r\nfd95e999f8d477043ea6012768bee417a989a4e925a641b9e6c4ff74d798dec6 1.27.0\r\n8f45831b1df8fe44111e35b05271f6ec1796b03c104a67cd6481bf93f2affe86 1.31.0\r\n9cbf93cc90a409673daf8c8c9b9640ac0a3c23629159a380a5bfb740c441e581 1.31.0\r\n6aefc2c4727ce80f03867f356df462f1a1ce21c72801b877fdb95e67cd00d6a4 1.37.0\r\nc69149024f25607a9b8a412dd9bdccc813f268340d0d857ccf0f7526557ab636 1.38.1\r\nd4aed2d47ba9d7e9ba79fb9461308e62b5d6444b30012ee43f2f84e53f0f28b8 1.38.1\r\n23fe807079bfcb1f3b6d28051cc136f84faeb334fdb64e7448bee52eab14330d 1.39.11\r\n4f1822817690d89943e7e57468ab4366e360772c0adce67bf74a7224b3732dee 1.39.11\r\n37e05b8a4e8183fb1c98edd64c474e4bf2e3be5de003decddf53aa046112b87e 1.40.0\r\nebd161adcb890f9107b7e6d41a370972823142cd61d406ad939b1c1bc26bedfb 1.40.0\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 27 of 33\n\n0b61ffe8f0139b5fe0c6fd6cd8b37df00b1a19556ce70b9504c7f18e3c0a787f 1.41.0\r\n2e18ee5a3023670c4fa3f3ec1e9ef972079cca9c51fb7912478e226bcef6f0c0 1.41.0\r\n3d71b0f50d2722547a7ea38436317e6542b7147a8fcfc6fc1bbdd291a6e2c294 1.41.0\r\n872943214e60b8a9fb67b3e85ba3cd5d8aa83b74e8466a02291c3cc2ddd8cd2a 1.41.0\r\nff54fff11c2279ca103dcfeb536b95b6ebf22129197525d55c5feff0b326c999 1.41.0\r\n13641f7a0d3a2b4d0dc62b33089358a3fa4df22243dd3f852d8911179d65d779 1.42.1\r\n473dfac64c24d62a0c27a2f363ec3fd5606f2d3a0e5676292dc1c435a32c9a13 1.42.1\r\n66ab162b73a4d8085cb7e066faa9a24ff751ffbb1edef7ee46b33b09362337a5 1.42.1\r\n7479e6c35245f4863ca05c126b12571502827b7dbf3e11542d835ac929f8f1fb 1.42.1\r\nfbd627182d6c1d4bd0e6405c0a9ce9a1c1c25f39c1df4b5a4861f9bcf915a213 1.42.1\r\n079b03434b4885d436cb36620fed35f0da07f722e6ad29736fb611adfb35a3cf 1.42.4\r\n0c55bb8ea38032270fed30e536b80993f87b16fe69772c1563c8ca18e587975d 1.42.4\r\n30fa66d5a98b83148289e27cfcdda87e42374bb53021b379e517b734853dd791 1.42.4\r\n33d19ada736ac56d738e5eb68c831614424b8c3f8ec0126e17bf3c93c29549e6 1.42.4\r\n50847eed9f204a5e8d899fd9c2a09a85262cdaab2499d9abd05b966bc2d2cc8d 1.42.4\r\n7c3d931c4389d2113e37fde5fa06b9c45055fd8599c2adf451588f891b52dce4 1.42.4\r\naa24cfd20700fdce590f54e692f641aca47821a59d422c12f8a2f70e6aac301e 1.42.4\r\nb2500de649e845f6336236bb0f859027ae8a8b4a0b6910328d9dc4cd21b4ca37 1.42.4\r\nb63adb9a145a4aeb2ec2636dd6b4307295a0dc54642ae4e895f718384cf4608b 1.42.4\r\nf0ff0e27467dcc3b5d934de1a7788cefb14a2bd22ac23ca6534c43bf64be94fa 1.42.4\r\n15a0ca365092b303cadc5e0d7bc5c9d7cdc90a4a3ecd2b4e8e75b7149100e405 1.42.5\r\n6904547a8a724468fddf8fdd33bd82d89483d8bc7674aa6016d952aa5199399f 1.42.5\r\nb3a1bc2792fae1730c9c8c32b08aa031f0961830343db83a23ae99e0ea16283c 1.42.5\r\nb5fbd641eb69fc3c5c816868b98570a7530409541bc0877fa81a82b56ed4c04d 1.42.5\r\nc31e83f0f9241f3d6275b45634ab5602e6d8e2778b8958fffd4edd1f8c73dacb 1.42.5\r\nde6b629e93f2f9e7373f0066d4454eb88a276623f5bd10f4fce0f819cd02f69f 1.42.5\r\nf0a3ef968c859891c3ab60fec38fecebdc2e48ec3b1ff57170f0b8edd8080b55 1.42.5\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 28 of 33\n\nf397700f3af3c21bd9450bdc18334e91c63e3d8b3e94232a2174be9c129d764e 1.42.5\r\n315872529f5c656ac919eeda0fcba7bf82294581face5af1f3847b7a2ae7082a 1.42.6\r\n45630149742ae37fbcd828c43ef9d08e7a0b3bfa04edb62837dc3deab7499131 1.42.6\r\n58cb82a047cbc59f8e256600e3c44fd7474dee48a97a6fb1aeefbc3de0d50a96 1.42.6\r\n7af7b10d338471fbbb69899b1c85604444735752d676dfb36113d2453c4cfd17 1.42.6\r\nc287221cdec249058870a8a47fc52d8f500295f44df1afa44f28cb5175638ac1 1.42.6\r\ne8b473d7d66e149051d6d1c22d56b80c3874ce715f010f99065b83eaf8192885 1.42.6\r\ne9fcb3e3850cb24ddbe57d8224d21a4381c891dcf0ca7b38899d278ca2cd9752 1.42.6\r\nfac5bdbc60eab9a711c4b7765fe4e060de14dd207b9393b8366b2da3eae8ec44 1.42.6\r\n1ee32c17e31472c7a86813a9c4bbdfcb38b1cac1804affdbe59a229476b69993 1.43.0\r\n27118fec3774c8e001ecd1ffd73c278349e90ded4c6327fbdfcefd627ca614de 1.43.0\r\n464957f5382596adac7a2a29999045c966c09a5ef65c03faa4d9ef40af3c3a3d 1.43.0\r\n473cb6b55b7fa3e56a7e43b6d07bc6098029c743d6e50b39bfc664065d595ba5 1.43.0\r\n47586df3f433428a3022bb3d48cdfc84237abd8aad1703adc29162feb3c97111 1.43.0\r\n6e1f42305c28920c3d0bce6c7b664847ba3868c8b4dd5f5f0e6b1f76825468f0 1.43.0\r\n9fc55975b553cccebb6184715c183d51bf494f4c9069a05e568868f6fe012df2 1.43.0\r\nd61b3a409c0f7aa3d81649c8aa1a32827ea5c96204a38b136e2b5d891749ff19 1.43.0\r\n1fc21d521b8ef4892020add6ddc723a256b7bf4f206ad02a5b5f06f49119c607 1.43.1\r\n4483fdef4a4daef9cf9bde26b60701a9637e92e36da465dbb7da933e183013a9 1.43.1\r\n500c26fe5d4049ef91082d890d7fa70e0a142fde0f91c0494e38850a04a59171 1.43.1\r\n8a2e416b00f7a1036af0614657336beb28cd261f4c5737e2a406b7867c8a5305 1.43.1\r\ne13caa4a61ca1cd09f368d863acfc774f2cfaec1c89b096f6ec71254e89edcbd 1.43.1\r\necd72ab02615241fb8998021f5785f5286b350892bd8b8b80bd8e120333797ca 1.43.1\r\n0661a2e3c736eed8bc780f52d738cb40d8784e9af626c793b72a234fb2e649e6 1.43.3\r\n772b549206b55f17cc61c636d5ceccd6d1de80979d8e016954ff47929a7f410a 1.43.3\r\n8f247fb8429dd227043656034b9bf589ddb9e73991e96f484ad1268b2178870b 1.43.3\r\nba25a5ff9827d17de38f069eb6e529e0a245fa74088084ea51708d628c68a7aa 1.43.3\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 29 of 33\n\n4683704a03b22fcc204d7289ce4ba5566570d630554b86328b2b9091b160c3a9 1.43.5\r\nbff1c2b1861cdec5d099904d20bddb877056a274451fe9d245d36699d7d23736 1.43.5\r\nc93fcd293cc6a51b4012bd80e8050b4eb2ee886fc6fc3d9682cfc4907482c60e 1.43.7\r\nf845d24f6abfa140575941e4a5b006e924a0b9cbf6b70c750293e1eb8c1bb713 1.43.7\r\n57e9b2ac2694b69890bd5f2c53541681840e095dfe8fbfb4e739222cc280b1ae 1.44.0\r\n859a1143f5640d3ae86912cf92ad77fdde9065da5745266aaf4552e8e692c5cc 1.44.0\r\n3b549fa3307e0a1ac12a01044bbbd18bfc5b7742ec04faeef9b40a3a59bf8b00 1.44.1\r\n4f60a24ee01be66f2f6a0b6049b93ca9c2d5cabb8b209b0ae37d78800063d454 1.44.1\r\n565bfc4e71d53447bcfb383001a2668fead68b8d8ce515c0db5ab4d56b3b3add 1.44.1\r\nda5d8415460ddabd4289a2e081fcf16cb6d07b91171e6575389ded2d5ba0e3b2 1.44.1\r\n05af7baa976a5d5c163a57f1c19754eadec41de35970cfa1f83ed965c32316d2 1.45.0\r\n5ca8d5a31590431ac86569beedcc350ca3dca75168f8aeb268da7defe93674ef 1.45.0\r\n6c199ad0700fc0f1e0a560f1c8a4aa899e18f3c7ed499746a3ed9741dccba27f 1.45.0\r\n983dee0dac41a8f1f1aaf9611ae065113f2582160b3d7e24c8638ee5a7d11e87 1.45.0\r\n75d019620ed05b67f93984ae721bdcef685d61caebbd33bfa35ecb7b47b97664 1.48.4\r\n77944a315543accae531af01a13d1fcbbe01f3a72ce19b00ac7c3b73c9c63fd3 1.48.4\r\n4b7945e3756abb48e2a9b62d8a3a7f633811a1073a20a7d46c121e29b41b6c31 1.63.0\r\n41e25852036f2f3bb17de1e3791496b3522e8082f6c618dcf385f66d79e7bb18 1.63.4\r\n801cb9c245af9addb0df0bb3444a70c48edc964c781995b387b7cde12d51ec1f 1.63.4\r\nabf66663dc7c90e4ce2d7430280ce982f895e15918aa13ce6fe62f573b2fb0d0 1.63.4\r\n2159391357cd38f28c95f2a47f7685bd5919a0ed93d8cab72ad59b5f571b7389 1.64.0\r\n9701bef2231ecd20d52f8fd2defa4374bffc35a721e4be4519bda8f5f353e27a 1.64.1\r\nbe7bdaaf9409898add0dcf43e2d5b6660fdb5d512d132b7706a24b0b6020999e 1.64.1\r\nNetwork\r\nStatic domains and URLs\r\nsigmastats.xyz\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 30 of 33\n\nhttp://statscodicefiscale.xyz/stats/\r\nmjaznxbvakjjouxir0z.xyz\r\n0f995b6f93c819a0.xyz\r\n74071141daaf3521.xyz\r\nsharkedtestuk.xyz\r\ny2znlm93bmvysuq0m3b.xyz\r\nc2hhcmtlzdq5cg9qqkk.top\r\nndlwb2pcstlmsedgzgz.top\r\nc2hhcmtlzdq3cg9qqkk.xyz\r\nsharkedtest1.xyz\r\nnddwb2pcstlmsedgzgz.top\r\nc2hhcmtlzdq3cg9qqkk.info\r\nAppendix – Sharkbot versions\r\nThis is a list of all Sharkbot versions we have observed so far:\r\nVersion First seen Last seen Notes\r\n1.18.0\r\nNovember 2,\r\n2021\r\nJanuary 3, 2022  \r\n1.26.0\r\nDecember 3,\r\n2021\r\nDecember 20,\r\n2021\r\n \r\n1.27.0\r\nNovember 10,\r\n2021\r\nNovember 18,\r\n2021\r\n \r\n1.31.0\r\nNovember 16,\r\n2021\r\nMarch 15, 2022  \r\n1.37.0\r\nNovember 15,\r\n2021\r\nonly one\r\nsample found\r\n \r\n1.38.1\r\nNovember 15,\r\n2021\r\nonly one\r\nsample found\r\n \r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 31 of 33\n\n1.39.11\r\nNovember 18,\r\n2021\r\nNovember 21,\r\n2021\r\n \r\n1.40.0\r\nDecember 3,\r\n2021\r\nonly one\r\nsample found\r\n \r\n1.41.0\r\nNovember 21,\r\n2021\r\nJanuary 3, 2022  \r\n1.42.1\r\nNovember 21,\r\n2021\r\nJanuary 3, 2022  \r\n1.42.4\r\nNovember 21,\r\n2021\r\nNovember 21,\r\n2021\r\nIntroduced accessibility service “task”\r\n1.42.5\r\nNovember 21,\r\n2021\r\nNovember\r\n21.2021\r\n \r\n1.42.6\r\nNovember 22,\r\n2021\r\nNovember 22,\r\n2021\r\n \r\n1.43.0\r\nNovember 25,\r\n2021\r\nNovember 25,\r\n2021\r\n \r\n1.43.1\r\nNovember 25,\r\n2021\r\nNovember 25,\r\n2021\r\n \r\n1.43.3\r\nNovember\r\n23.2021\r\nNovember 25,\r\n2021\r\n \r\n1.43.5\r\nNovember 25,\r\n2021\r\nonly one\r\nsample found\r\n \r\n1.43.7\r\nNovember 25,\r\n2021\r\nonly one\r\nsample found\r\n \r\n1.44.0\r\nNovember 25,\r\n2021\r\nonly one\r\nsample found\r\nadded switch sendNotifToAdmin to turn\r\non/off sending all notifications to CnC\r\n1.44.1\r\nNovember 29,\r\n2021\r\nDecember 8,\r\n2021\r\n \r\n1.45.0\r\nNovember 29,\r\n2021\r\nNovember 29,\r\n2021\r\n \r\n1.48.4\r\nDecember 02,\r\n2021\r\nonly one\r\nsample found\r\nAPP_STOP_VIEW added\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 32 of 33\n\n1.63.0\r\nFebruary 9,\r\n2022\r\nonly one\r\nsample found\r\nadded autoReply and removeApp commands\r\n1.63.4\r\nFebruary 22,\r\n2022\r\nFebruary 27,\r\n2022\r\n \r\n1.64.0\r\nFebruary 25,\r\n2022\r\nonly one\r\nsample found\r\n \r\n1.64.1 March 9, 2022 March 11, 2022  \r\nIt is interesting to note that there was a long pause of 2 months between the first sightings of versions 1.48.4 and\r\n1.63.0:\r\nVersion 1.48.4 was first seen on December 4, 2021\r\nVersion 1.63.0 was first seen on February 9, 2022\r\nThe key features introduced in different versions are listed below in the form of a change log:\r\nOn November 21, 2021 (v.1.42.4) accessibility service tasks were added.\r\nOn November 25, 2021 (v.1.44.0) switch sendNotifToAdmin was added. This switch is used for controlling\r\nsending device’s notifications to CnC.\r\nOn December 2, 2021 (v.1.48.4) command APP_STOP_VIEW was added.\r\nOn February 9, 2022 (v.1.63.0) new DGA algorithm was introduced.\r\nSource: https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nhttps://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/\r\nPage 33 of 33",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/"
	],
	"report_names": [
		"google-is-on-guard-sharks-shall-not-pass"
	],
	"threat_actors": [],
	"ts_created_at": 1775791287,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/281bf4effc25e62ab441de29acaa7f9d77e52c0c.pdf",
		"text": "https://archive.orkl.eu/281bf4effc25e62ab441de29acaa7f9d77e52c0c.txt",
		"img": "https://archive.orkl.eu/281bf4effc25e62ab441de29acaa7f9d77e52c0c.jpg"
	}
}