{
	"id": "e8c82c97-1291-4fc3-9a74-78b6225a32ca",
	"created_at": "2026-04-06T00:09:25.135608Z",
	"updated_at": "2026-04-10T03:30:33.833678Z",
	"deleted_at": null,
	"sha1_hash": "531bf423d936eda1f8870b0970d6e6e1b2f027c3",
	"title": "SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86325,
	"plain_text": "SharkBot: a “new” generation Android banking Trojan being\r\ndistributed on Google Play Store\r\nBy Joost Jansen\r\nPublished: 2022-03-03 · Archived: 2026-04-05 22:59:58 UTC\r\nAuthors:\r\nAlberto Segura, Malware analyst\r\nRolf Govers, Malware analyst \u0026 Forensic IT Expert\r\nNCC Group, as well as many other researchers noticed a rise in Android malware last year, especillay Android\r\nbanking malware. Within the Treat Intelligence team of NCC Group we’re looking closely to several of these\r\nmalware families to provide valuable information to our customers about these threats. Next to the more popular\r\nAndroid banking malware NCC Group’s Threat Intelligence team also watches new trends and new families that\r\narise and could be potential threats to our customers.\r\nOne of these ‘newer’ families is an Android banking malware called SharkBot. During our research NCC Group\r\nnoticed that this malware was disturbed via the official Google play store. After discovery NCC Group\r\nimmediately notified Google and decided to share our knowledge via this blog post.\r\nSummary\r\nSharkBot is an Android banking malware found at the end of October 2021 by the Cleafy Threat Intelligence\r\nTeam. At the moment of writing the SharkBot malware doesn’t seem to have any relations with other Android\r\nbanking malware like Flubot, Cerberus/Alien, Anatsa/Teabot, Oscorp, etc.\r\nThe Cleafy blogpost stated that the main goal of SharkBot is to initiate money transfers (from compromised\r\ndevices) via Automatic Transfer Systems (ATS). As far as we observed, this technique is an advanced attack\r\ntechnique which isn’t used regularly within Android malware. It enables adversaries to auto-fill fields in legitimate\r\nmobile banking apps and initate money transfers, where other Android banking malware, like Anatsa/Teabot or\r\nOscorp, require a live operator to insert and authorize money transfers. This technique also allows adversaries to\r\nscale up their operations with minimum effort.\r\nThe ATS features allow the malware to receive a list of events to be simulated, and them will be simulated in order\r\nto do the money transfers. Since this features can be used to simulate touches/clicks and button presses, it can be\r\nused to not only automatically transfer money but also install other malicious applications or components. This is\r\nthe case of the SharkBot version that we found in the Google Play Store, which seems to be a reduced version of\r\nSharkBot with the minimum required features, such as ATS, to install a full version of the malware some time\r\nafter the initial install.\r\nhttps://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/\r\nPage 1 of 6\n\nBecause of the fact of being distributed via the Google Play Store as a fake Antivirus, we found that they have to\r\ninclude the usage of infected devices in order to spread the malicious app. SharkBot achieves this by abusing the\r\n‘Direct Reply‘ Android feature. This feature is used to automatically send reply notification with a message to\r\ndownload the fake Antivirus app. This spread strategy abusing the Direct Reply feature has been seen recently in\r\nanother banking malware called Flubot, discovered by ThreatFabric.\r\nWhat is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also\r\nincludes more classic features to steal user’s credentials.\r\nMoney and Credential Stealing features\r\nSharkBot implements the four main strategies to steal banking credentials in Android:\r\nInjections (overlay attack): SharkBot can steal credentials by showing a WebView with a fake log in\r\nwebsite (phishing) as soon as it detects the official banking app has been opened.\r\nKeylogging: Sharkbot can steal credentials by logging accessibility events (related to text fields changes\r\nand buttons clicked) and sending these logs to the command and control server (C2).\r\nSMS intercept: Sharkbot has the ability to intercept/hide SMS messages.\r\nRemote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device (via\r\nAccessibility Services).\r\nFor most of these features, SharkBot needs the victim to enable the Accessibility Permissions \u0026 Services. These\r\npermissions allows Android banking malware to intercept all the accessibility events produced by the interaction\r\nof the user with the User Interface, including button presses, touches, TextField changes (useful for the keylogging\r\nfeatures), etc. The intercepted accessibility events also allow to detect the foreground application, so banking\r\nmalware also use these permissions to detect when a targeted app is open, in order to show the web injections to\r\nsteal user’s credentials.\r\nDelivery\r\nSharkbot is distributed via the Google Play Store, but also using something relatively new in the Android\r\nmalware: ‘Direct reply‘ feature for notifications. With this feature, the C2 can provide as message to the malware\r\nwhich will be used to automatically reply the incoming notifications received in the infected device. This has been\r\nrecently introduced by Flubot to distribute the malware using the infected devices, but it seems SharkBot threat\r\nactors have also included this feature in recent versions.\r\nIn the following image we can see the code of SharkBot used to intercept new notifications and automatically\r\nreply them with the received message from the C2.\r\nIn the following picture we can see the ‘autoReply’ command received by our infected test device, which contains\r\na shortten Bit.ly link which redirects to the Google Play Store sample.\r\nhttps://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/\r\nPage 2 of 6\n\nWe detected the SharkBot reduced version published in the Google Play on 28th February, but the last update was\r\non 10th February, so the app has been published for some time now. This reduced version uses a very similar\r\nprotocol to communicate with the C2 (RC4 to encrypt the payload and Public RSA key used to encrypt the RC4\r\nkey, so the C2 server can decrypt the request and encrypt the response using the same key). This SharkBot\r\nversion, which we can call SharkBotDropper is mainly used to download a fully featured SharkBot from the C2\r\nserver, which will be installed by using the Automatic Transfer System (ATS) (simulating click and touches with\r\nthe Accessibility permissions).\r\nThis malicious dropper is published in the Google Play Store as a fake Antivirus, which really has two main goals\r\n(and commands to receive from C2):\r\nSpread the malware using ‘Auto reply’ feature: It can receive an ‘autoReply’ command with the\r\nmessage that should be used to automatically reply any notification received in the infected device. During\r\nour research, it has been spreading the same Google Play dropper via a shorten Bit.ly URL.\r\nDropper+ATS: The ATS features are used to install the downloaded SharkBot sample obtained from the\r\nC2. In the following image we can see the decrypted response received from the C2, in which the dropper\r\nreceives the command ‘b‘ to download the full SharkBot sample from the provided URL and the ATS\r\nevents to simulate in order to get the malware installed.\r\nWith this command, the app installed from the Google Play Store is able to install and enable Accessibility\r\nPermissions for the fully featured SharkBot sample it downloaded. It will be used to finally perform the ATS\r\nfraud to steal money and credentials from the victims.\r\nThe fake Antivirus app, the SharkBotDropper, published in the Google Play Store has more than 1,000 downloads,\r\nand some fake comments like ‘It works good’, but also other comments from victims that realized that this app\r\ndoes some weird things.\r\nTechnical analysis\r\nProtocol \u0026 C2\r\nThe protocol used to communicate with the C2 servers is an HTTP based protocol. The HTTP requests are made\r\nin plain, since it doesn’t use HTTPs. Even so, the actual payload with the information sent and received is\r\nencrypted using RC4. The RC4 key used to encrypt the information is randomly generated for each request, and\r\nencrypted using the RSA Public Key hardcoded in each sample. That way, the C2 can decrypt the encrypted key\r\n(rkey field in the HTTP POST request) and finally decrypt the sent payload (rdata field in the HTTP POST\r\nrequest).\r\nhttps://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/\r\nPage 3 of 6\n\nIf we take a look at the decrypted payload, we can see how SharkBot is simply using JSON to send different\r\ninformation about the infected device and receive the commands to be executed from the C2. In the following\r\nimage we can see the decrypted RC4 payload which has been sent from an infected device.\r\nTwo important fields sent in the requests are:\r\nownerID\r\nbotnetID\r\nThose parameters are hardcoded and have the same value in the analyzed samples. We think those values can be\r\nused in the future to identify different buyers of this malware, which based on our investigation is not being sold\r\nin underground forums yet.\r\nDomain Generation Algorithm\r\nSharkBot includes one or two domains/URLs which should be registered and working, but in case the hardcoded\r\nC2 servers were taken down, it also includes a Domain Generation Algorithm (DGA) to be able to communicate\r\nwith a new C2 server in the future.\r\nThe DGA uses the current date and a specific suffix string (‘pojBI9LHGFdfgegjjsJ99hvVGHVOjhksdf’) to finally\r\nencode that in base64 and get the first 19 characters. Then, it append different TLDs to generate the final\r\ncandidate domain.\r\nThe date elements used are:\r\nWeek of the year (v1.get(3) in the code)\r\nYear (v1.get(1) in the code)\r\nIt uses the ‘+’ operator, but since the week of the year and the year are Integers, they are added instead of\r\nappended, so for example: for the second week of 2022, the generated string to be base64 encoded is: 2 + 2022 +\r\n“pojBI9LHGFdfgegjjsJ99hvVGHVOjhksdf” = 2024 + “pojBI9LHGFdfgegjjsJ99hvVGHVOjhksdf” =\r\n“2024pojBI9LHGFdfgegjjsJ99hvVGHVOjhksdf”.\r\nIn previous versions of SharkBot (from November-December of 2021), it only used the current week of the year\r\nto generate the domain. Including the year to the generation algorithm seems to be an update for a better support\r\nof the new year 2022.\r\nCommands\r\nSharkBot can receive different commands from the C2 server in order to execute different actions in the infected\r\ndevice such as sending text messages, download files, show injections, etc. The list of commands it can receive\r\nhttps://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/\r\nPage 4 of 6\n\nand execute is as follows:\r\nsmsSend: used to send a text message to the specified phone number by the TAs\r\nupdateLib: used to request the malware downloads a new JAR file from the specified URL, which should\r\ncontain an updated version of the malware\r\nupdateSQL: used to send the SQL query to be executed in the SQLite database which Sharkbot uses to\r\nsave the configuration of the malware (injections, etc.)\r\nstopAll: used to reset/stop the ATS feature, stopping the in progress automation.\r\nupdateConfig: used to send an updated config to the malware.\r\nuninstallApp: used to uninstall the specified app from the infected device\r\nchangeSmsAdmin: used to change the SMS manager app\r\ngetDoze: used to check if the permissions to ignore battery optimization are enabled, and show the Android\r\nsettings to disable them if they aren’t\r\nsendInject: used to show an overlay to steal user’s credentials\r\ngetNotify: used to show the Notification Listener settings if they are not enabled for the malware. With this\r\npermissions enabled, Sharkbot will be able to intercept notifications and send them to the C2\r\nAPP_STOP_VIEW: used to close the specified app, so every time the user tries to open that app, the\r\nAccessibility Service with close it\r\ndownloadFile: used to download one file from the specified URL\r\nupdateTimeKnock: used to update the last request timestamp for the bot\r\nlocalATS: used to enable ATS attacks. It includes a JSON array with the different events/actions it should\r\nsimulate to perform ATS (button clicks, etc.)\r\nAutomatic Transfer System\r\nOne of the distinctive parts of SharkBot is that it uses a technique known as Automatic Transfer System (ATS).\r\nATS is a relatively new technique used by banking malware for Android.\r\nTo summarize ATS can be compared with webinject, only serving a different purpose. Rather then gathering\r\ncredentials for use/scale it uses the credentials for automatically initiating wire transfers on the endpoint itself (so\r\nwithout needing to log in and bypassing 2FA or other anti-fraud measures). However, it is very individually\r\ntailored and request quite some maintenance for each bank, amount, money mules etc. This is probably one of the\r\nreasons ATS isn’t that popular amongst (Android) banking malware.\r\nHow does it work?\r\nOnce a target logs into their banking app the malware would receive an array of events (clicks/touches, button\r\npresses, gestures, etc.) to be simulated in an specific order. Those events are used to simulate the interaction of the\r\nvictim with the banking app to make money transfers, as if the user were doing the money transfer by himself.\r\nThis way, the money transfer is made from the device of the victim by simulating different events, which make\r\nmuch more difficult to detect the fraud by fraud detection systems.\r\nhttps://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/\r\nPage 5 of 6\n\nIoCs\r\nSample Hashes:\r\na56dacc093823dc1d266d68ddfba04b2265e613dcc4b69f350873b485b9e1f1c (Google Play\r\nSharkBotDropper)\r\n9701bef2231ecd20d52f8fd2defa4374bffc35a721e4be4519bda8f5f353e27a (Dropped SharkBot v1.64.1)\r\nSharkBotDropper C2:\r\nhxxp://statscodicefiscale[.]xyz/stats/\r\n‘Auto/Direct Reply’ URL used to distribute the malware:\r\nhxxps://bit[.]ly/34ArUxI\r\nGoogle Play Store URL:\r\nhttps://play.google.com/store/apps/details?id=com.abbondioendrizzi.antivirus.supercleaner\r\nC2 servers/Domains for SharkBot:\r\nn3bvakjjouxir0zkzmd[.]xyz (185.219.221.99)\r\nmjayoxbvakjjouxir0z[.]xyz (185.219.221.99)\r\nRSA Public Key used to encrypt RC4 key in SharkBot:\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2R7nRj0JMouviqMisFYt0F2QnScoofoR7svCcjrQcTUe7tKKweDnSetdz1A+PLNtk7w\r\nRSA Public Key used to encrypt RC4 Key in the Google Play SharkBotDropper:\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu9qo1QgM8FH7oAkCLkNO5XfQBUdl+pI4u2tvyFiZZ6hMZ07QnlYazgRmWcC5j5H2iV+\r\nSource: https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/\r\nhttps://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"
	],
	"report_names": [
		"sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434165,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/531bf423d936eda1f8870b0970d6e6e1b2f027c3.pdf",
		"text": "https://archive.orkl.eu/531bf423d936eda1f8870b0970d6e6e1b2f027c3.txt",
		"img": "https://archive.orkl.eu/531bf423d936eda1f8870b0970d6e6e1b2f027c3.jpg"
	}
}