{
	"id": "80e675e5-ef3d-4135-b83e-b64408117a85",
	"created_at": "2026-04-06T02:13:10.941579Z",
	"updated_at": "2026-04-10T03:30:32.841707Z",
	"deleted_at": null,
	"sha1_hash": "7bb44c5bff728f07e26b346279065de53af6a891",
	"title": "“Sharkbot” found on Google Play store - Check Point Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63363,
	"plain_text": "“Sharkbot” found on Google Play store - Check Point Blog\r\nBy etal\r\nPublished: 2022-04-07 · Archived: 2026-04-06 02:10:24 UTC\r\nHighlights:\r\nCheck Point Research (CPR) found anti-virus apps on the Google Play store disguised as legitimate which\r\ndownloaded and installed android malware\r\nAt least six different apps with over 15,000 total downloads were spreading the malware, which were\r\nconsequently all taken down from the Google Play store after CPR’s disclosure\r\nDubbed “Sharkbot” the malware steals credentials and banking information\r\nWhen searching for an anti-virus (AV) solution to protect your mobile, the last thing one would expect is for it to\r\nmake your device vulnerable to malware.\r\nThis is what the CPR team encountered while analyzing suspicious applications found on the Google Play store.\r\nThese applications were disguised as genuine AV solutions, but in reality, users downloaded and installed an\r\nandroid stealer called ‘Sharkbot’.\r\nSharkbot steals credentials and banking information. This malware implements a geofencing feature and evasion\r\ntechniques, which makes it stand out from the rest of malwares. It also makes use of something called domain\r\ngeneration algorithm (DGA), an aspect rarely used in the world of Android malware.\r\nCPR identified approximately 1000 unique IP addresses of infected devices during the time of analysis.\r\nMost of the victims were from Italy and the UK as per the chart below.\r\nhttps://blog.checkpoint.com/2022/04/07/android-banking-stealer-dubbed-sharkbot-found-disguised-as-legitimate-anti-virus-apps-on-the-google-play-store/\r\nPage 1 of 4\n\nRegional statistics\r\nSharkbot lures victims to enter their credentials in windows that mimics benign credential input forms. When the\r\nuser enters credentials in these windows, the compromised data is sent to a malicious server. Sharkbot doesn’t\r\ntarget every potential victim it encounters, but only select ones, using the geofencing feature to identify and ignore\r\nusers from China, India, Romania, Russia, Ukraine or Belarus.\r\nDisguised as legitimate anti-virus apps on Google Play store\r\nCPR researchers spotted a total of six different applications in the Google Play store that were spreading Sharkbot.\r\nFour applications came from three developer accounts, Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc.\r\nWhen CPR checked the history of these accounts, we saw that two of them were active in the fall of 2021. Some\r\nof the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets.\r\nThis could mean that the threat actor behind these applications is trying to stay under the radar, while still\r\ninvolved in malicious activity. Overall, we saw over 15,000 downloads of these apps from Google Play.\r\nhttps://blog.checkpoint.com/2022/04/07/android-banking-stealer-dubbed-sharkbot-found-disguised-as-legitimate-anti-virus-apps-on-the-google-play-store/\r\nPage 2 of 4\n\nApplications found on Google Play store\r\nResponsible disclosure to Google\r\nImmediately after identifying these applications that spread Sharkbot, CPR reported these finding to Google.\r\nQuickly after examining the apps, Google proceeded to permanently remove these applications on Google Play\r\nstore.\r\nOn the same day CPR reported the finding to Google, the NCC group published a separate research about\r\nSharkbot, mentioning one of the malicious apps.\r\nTimeline\r\nFebruary 25, 2022 – CPR discovered 4 applications of SharkBot Dropper on Google Play, with a total of\r\n11K installations.\r\nMarch 03, 2022 – CPR reported to Google the malicious applications found on Google Play.\r\nMarch 03, 2022 – NCC Group published their research on Sharkbot Dropper.\r\nMarch 09, 2022 – Reported applications removed from Google Play.\r\nMarch 15, 2022 – CPR found one more SharkBot dropper on Google Play with0+ installs. CPR reported it\r\nto Google.\r\nMarch 22, 2022 – An additional SharkBot dropper was discovered on Google Play, 0+ installs. CPR\r\nreported it to Google.\r\nMarch 27, 2022 – Newly found SharkBot dropper’s removed from Google Play.\r\nBeware of malicious apps\r\nThreat actors are evolving and constantly seeking ways to inject and drop malware at any means possible,\r\nincluding disguising as legitimate “official” apps.\r\nhttps://blog.checkpoint.com/2022/04/07/android-banking-stealer-dubbed-sharkbot-found-disguised-as-legitimate-anti-virus-apps-on-the-google-play-store/\r\nPage 3 of 4\n\nWe advise Android users to:\r\nInstall applications only from trusted and verified publishers\r\nIf you see an application from a new publisher, search for equivalents from trusted publishers.\r\nReport to Google any seemingly suspicious applications you encounter\r\nProtections\r\nCheck Point’s Harmony Mobile prevents malware from infiltrating mobile devices by detecting and blocking the\r\ndownload of malicious apps in real-time. Harmony Mobile’s unique network security infrastructure – on-device\r\nnetwork protection – allows you to stay ahead of emerging threats by extending Check Point’s industry-leading\r\nnetwork security technologies to mobile devices.\r\nThreat Emulation protections:\r\nSharkbot.TC.*\r\nThe full technical analysis can be read on research.checkpoint.com\r\nSource: https://blog.checkpoint.com/2022/04/07/android-banking-stealer-dubbed-sharkbot-found-disguised-as-legitimate-anti-virus-apps-on-th\r\ne-google-play-store/\r\nhttps://blog.checkpoint.com/2022/04/07/android-banking-stealer-dubbed-sharkbot-found-disguised-as-legitimate-anti-virus-apps-on-the-google-play-store/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.checkpoint.com/2022/04/07/android-banking-stealer-dubbed-sharkbot-found-disguised-as-legitimate-anti-virus-apps-on-the-google-play-store/"
	],
	"report_names": [
		"android-banking-stealer-dubbed-sharkbot-found-disguised-as-legitimate-anti-virus-apps-on-the-google-play-store"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775441590,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7bb44c5bff728f07e26b346279065de53af6a891.pdf",
		"text": "https://archive.orkl.eu/7bb44c5bff728f07e26b346279065de53af6a891.txt",
		"img": "https://archive.orkl.eu/7bb44c5bff728f07e26b346279065de53af6a891.jpg"
	}
}