{ "id": "f0940f9e-52ee-4220-9f2b-5bb2990c00dc", "created_at": "2026-04-06T00:19:36.572193Z", "updated_at": "2026-04-10T03:30:33.665657Z", "deleted_at": null, "sha1_hash": "880969deaaba4b025ab0c52e7d451f55d488e8cb", "title": "Android SharkBot Droppers on Google Play Underline Platform's Security Needs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2829733, "plain_text": "Android SharkBot Droppers on Google Play Underline Platform's\r\nSecurity Needs\r\nBy Elena FLONDOR\r\nArchived: 2026-04-05 13:30:06 UTC\r\nA common theme we've noticed in the last few months consists of malicious apps distributed directly from the\r\nGoogle Play Store. If something comes from an official store, people could be inclined to believe it’s safe. Our\r\nresearch has shown this to be false, many times over.\r\nOnly a few months ago, Bitdefender found a trove of malicious apps in the official store that pushed aggressive\r\nunwanted ads that could lead to more serious attacks.\r\nThanks to our real-time behavioral technology designed to detect software acting suspiciously, we uncovered apps\r\ndownloaded from Google Play acting as droppers for SharkBot bankers shortly after installation, depending on the\r\nuser's location.\r\nThe Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to more\r\ncovert methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles\r\nas a dropper for more insidious malware.\r\nThe apps Bitdefender found are disguised as file managers, which explains why they request permission to install\r\nexternal packages (REQUEST_INSTALL_PACKAGES) from the user. Of course, that permission is used to\r\ndownload malware. As Google Play apps only need the functionality of a file manager to install another app and\r\nthe malicious behavior is activated to a restricted pool of users, they are challenging to detect.\r\nWhile none of the apps in this research are still available on the Google Play Store, they're still present across the\r\nweb in different third-party stores, making them a current threat.\r\nMost users who have downloaded the apps are primarily from the United Kingdom and Italy, with a small\r\nminority in other countries as well.\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 1 of 19\n\nX-File Manager\r\nWe found the application X-File Manager (com.victorsoftice.llc) from Google Play that had more than 10,000\r\ninstalls before it was deleted.\r\nhttps://play.google[.]com/store/apps/details?id=com.victorsoftice.llc\u0026hl=EN\r\nThe application installs a SharkBot sample with the label _File Manager, and the user is tricked into thinking that\r\nan update to the app must be installed.\r\nThe developer profile on Google Play seems to be visible only to users from Italy and Great Britain. Accessing its\r\npage without specifying the country code is not possible.\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 2 of 19\n\nMultiple users claim that the application drops malware, and the target of the criminals becomes apparent as the\r\nnegative reviews for the apps are all in Italian.\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 3 of 19\n\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 4 of 19\n\nWhen we took a closer look at the X-File Manager app we found the sample has multiple permissions expected of\r\na file manager, including READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE,\r\nGET_ACCOUNTS, REQUEST_INSTALL_PACKAGES, QUERY_ALL_PACKAGES,\r\nREQUEST_DELETE_PACKAGES.\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 5 of 19\n\nUpon code analysis, we discovered the application performs anti-emulator checks and targets users from Great\r\nBritain and Italy by verifying if the SIM ISO corresponds with IT or GB. It also checks if the users have installed\r\nat least one of the targeted banking applications on their devices.\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 6 of 19\n\nSearching for the targeted bank:\r\nThe encryption of the country codes, URL, banking list was also found in this sample:\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 7 of 19\n\nHere’s a list of apps monitored by the malware that includes other financial services. It’s worth noting that this is\r\nnot a fixed list as the attackers can always add support for new apps.\r\nPackage name Financial institution\r\ncom.barclays.android.barclaysmobilebanking Barclays\r\ncom.bankofireland.mobilebanking Bank of Ireland Mobile Banking\r\ncom.cooperativebank.bank The Co-operative Bank\r\nftb.ibank.android AIB (NI) Mobile\r\ncom.nearform.ptsb permanent tsb\r\nuk.co.mbna.cardservices.android MBNA Mobile App\r\ncom.danskebank.mobilebank3.uk Mobile Bank UK – Danske Bank\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 8 of 19\n\ncom.barclays.bca Barclaycard\r\ncom.tescobank.mobile Tesco Bank and Clubcard Pay+\r\ncom.virginmoney.uk.mobile.android Virgin Money Mobile Banking\r\ncom.cooperativebank.smile  \"smile - the internet bank\"\r\ncom.starlingbank.android Starling Bank - Mobile Banking\r\nuk.co.metrobankonline.mobile.android.production Metro Bank\r\nuk.co.santander.santanderUK Santander Mobile Banking\r\nuk.co.hsbc.hsbcukmobilebanking HSBC UK Mobile Banking\r\nuk.co.tsb.newmobilebank TSB Mobile Banking\r\ncom.grppl.android.shell.BOS Bank of Scotland Mobile App\r\ncom.grppl.android.shell.halifax Halifax Mobile Banking\r\ncom.grppl.android.shell.CMBlloydsTSB73 Lloyds Bank Mobile Banking\r\nit.copergmps.rt.pf.android.sp.bmps Banca MPS\r\nit.extrabanca.mobile NewExtraMobileBank\r\nit.relaxbanking RelaxBanking Mobile\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 9 of 19\n\nit.bnl.apps.banking BNL\r\nit.bnl.apps.enterprise.hellobank Hello Bank!\r\nit.ingdirect.app ING Italia\r\nit.popso.SCRIGNOapp SCRIGNOapp\r\nposteitaliane.posteapp.appbpol BancoPosta\r\ncom.latuabancaperandroid Intesa Sanpaolo Mobile\r\ncom.latuabancaperandroid.pg  Intesa Sanpaolo Business\r\ncom.latuabancaperandroid.ispb Intesa Sanpaolo Private\r\ncom.fineco.it Fineco\r\ncom.CredemMobile Credem\r\ncom.bmo.mobile BMO Mobile Banking\r\ncom.fideuram.alfabetobanking Alfabeto Banking\r\ncom.lynxspa.bancopopolare YouApp - Mobile Banking\r\ncom.vipera.chebanca CheBanca!\r\nThe URL redirects to a Russian Federation IP:\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 10 of 19\n\nhttp://94[.]198[.]53[.]205/loader_08_2022_03e19619736ebb206d5dc24b6ca3a84f/\r\nThe application performs a request at URI, downloads the package, and writes the malicious payload on the\r\ndevice. The dropper fakes an update of the current application to complete the installation and asks the user to\r\ninstall the dropped APK.\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 11 of 19\n\nWhile the app is no longer available on the Google Play Store, it’s still on other websites:\r\nhttps://apksos[.]com/app/com.victorsoftice.llc\r\nhttps://pt.modapkdown[.]com/com.victorsoftice.llc/x-file-manager-mod/\r\nOther similar sample found on Google Play\r\nFileVoyager is also a file manager following the same pattern.\r\nhttps://play.google[.]com/store/apps/details?id=com.potsepko9.FileManagerApp\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 12 of 19\n\nUsers also claim that the application is suspicious and even malware.\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 13 of 19\n\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 14 of 19\n\nThe same encrypted list containing country codes, URL, and banks can be found in com.victorsoftice.llc.\r\nWe also found a similar sample named 'Phone AID, Cleaner, Booster' available on the web through third-party app\r\nstores:\r\nhttps://apksos[.]com/app/com.sidalistudio.developer.app\r\nhttps://apkaio[.]com/app/com.sidalistudio.developer.app\r\nhttps://www.modapkdown[.]com/com.sidalistudio.developer.app/phone-aid-cleaner-booster-mod/\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 15 of 19\n\n'LiteCleaner M' is yet another Sharkbot sample that was published on Google Play then deleted, but not before\r\nbeing downloaded by over 1,000 people. It is still present on various third-party online websites.\r\nhttps://apksos[.]com/app/com.ltdevelopergroups.litecleaner.m\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 16 of 19\n\nSharkBot Droppers packages and Indicators of Compromise:\r\nPackage name\r\ncom.victorsoftice.llc\r\ncom.potsepko9.FileManagerApp\r\ncom.sidalistudio.developer.app\r\ncom.ltdevelopergroups.litecleaner.m\r\nIOCs:\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 17 of 19\n\nfa7947933a3561b7174f1d94472dcf8633a03749c14342ce65dafe94db361140\r\n5481908f7cf651fde7b902f70c5c6f900a413de5976e1e0ba2b60c44f2a060c4\r\n5ee5894c2be17c542601c113225862129ed96da6e6bd0d80c5ef0d500ad21fe3\r\n0fb6f45af7834c742db0c7b68a61d177c49bb4c59e19640c62723c6b38a777ad\r\n6f1eb9c21b026eecfd65459ec4cffe3954d24619010741e18722108d7bacf3d1\r\n5e858fa31abe3b048be815a96234daa1123a9aab113d6f80b95dbf9437fb7343\r\ne2d2e7683e07c5ffa7b5475433057cec5c2993167f47ea650941f9871923792d\r\n72512e7de8099e66beb9b4395b8c4a5c1dfd413c85977a31480ff8bd68b2ca6e\r\n218c6e2327c8342192dc58c6e793fc3d5cba7f15e4b2f188c98cd4ba48bf244a\r\n844efceeeeff73da35ac13c217ad5723c456ecec01fada7f92b9203fc29e7dcd\r\n25e2a148a586acc6b741a64f42c618796a08ec9745eb3d1170acabf9e732a366\r\n900fe34d5394689c86ead76666e79620ad7a10109c75d661af9bc7d8fb0c27b8\r\nb45edcbdfe9ad1a1990d723dca4405014a4fa1c578b75799219a4298b16175de\r\n618ee1e79a927c57831527faf19739276f2706b6200ee8f52aa0eb0c66de6828\r\nThe SharkBot sample is detected as Android.Trojan.Banker.ZP\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 18 of 19\n\n9a8345bcbc06fc4225d7b03d0a8a4c04c3e7b2fafbf9e00e7ca57dd95034ae34\r\nSource: https://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nhttps://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bitdefender.com/blog/labs/android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs/" ], "report_names": [ "android-sharkbot-droppers-on-google-play-underlines-platforms-security-needs" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434776, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/880969deaaba4b025ab0c52e7d451f55d488e8cb.pdf", "text": "https://archive.orkl.eu/880969deaaba4b025ab0c52e7d451f55d488e8cb.txt", "img": "https://archive.orkl.eu/880969deaaba4b025ab0c52e7d451f55d488e8cb.jpg" } }