{ "id": "df3df594-7141-4326-802f-6e3195f0b49d", "created_at": "2026-04-06T00:22:06.725161Z", "updated_at": "2026-04-10T03:30:33.6453Z", "deleted_at": null, "sha1_hash": "67c6ee145c25fb6de0fbef21c6cd6cd1ac47cb19", "title": "SharkBot (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47857, "plain_text": "SharkBot (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:12:12 UTC\r\napk.sharkbot (Back to overview)\r\nSharkBot\r\nSharkBot is a piece of malicious software targeting Android Operating Systems (OSes). It is designed to obtain\r\nand misuse financial data by redirecting and stealthily initiating money transfers. SharkBot is particularly active in\r\nEurope (United Kingdom, Italy, etc.), but its activity has also been detected in the United States.\r\nReferences\r\n2023-07-29 ⋅ Google ⋅ Google Cybersecurity Action Team\r\nThreat Horizons August 2023 Threat Horizons Report\r\nSharkBot Cobalt Strike\r\n2022-10-28 ⋅ ThreatFabric ⋅ ThreatFabric\r\nMalware wars: the attack of the droppers\r\nBrunhilda SharkBot Vultur\r\n2022-09-06 ⋅ Github (muha2xmad) ⋅ Muhammad Hasan Ali\r\nTechnical analysis of SharkBot android malware\r\nSharkBot\r\n2022-09-02 ⋅ nccgroup ⋅ Alberto Segura, Mike Stokkel\r\nSharkbot is back in Google Play\r\nSharkBot\r\n2022-06-04 ⋅ bin.re ⋅ Johannes Bader\r\nThe Domain Generation Algorithms of SharkBot\r\nSharkBot\r\n2022-04-07 ⋅ Checkpoint ⋅ Alex Shamshur, Raman Ladutska\r\nGoogle is on guard: sharks shall not pass!\r\nSharkBot\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot\r\nPage 1 of 2\n\n2022-03-03 ⋅ NCC Group ⋅ RIFT: Research and Intelligence Fusion Team\r\nSharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store\r\nSharkBot\r\n2022-03-03 ⋅ Fox-IT ⋅ Alberto Segura, Rolf Govers\r\nSharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store\r\nSharkBot\r\n2021-11-11 ⋅ Cleafy ⋅ Cleafy\r\nSharkBot: a new generation of Android Trojans is targeting banks in Europe\r\nSharkBot\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot" ], "report_names": [ "apk.sharkbot" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434926, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/67c6ee145c25fb6de0fbef21c6cd6cd1ac47cb19.pdf", "text": "https://archive.orkl.eu/67c6ee145c25fb6de0fbef21c6cd6cd1ac47cb19.txt", "img": "https://archive.orkl.eu/67c6ee145c25fb6de0fbef21c6cd6cd1ac47cb19.jpg" } }