{
	"id": "bced4ec0-26d1-4e74-9763-c00f0c0d98d3",
	"created_at": "2026-04-06T00:07:35.314664Z",
	"updated_at": "2026-04-10T13:12:59.569065Z",
	"deleted_at": null,
	"sha1_hash": "af01c0ffdbc30336714d9f0679770b58888f495e",
	"title": "Sharkbot is back in Google Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2005211,
	"plain_text": "Sharkbot is back in Google Play\r\nBy Global Threat Intelligence\r\nPublished: 2022-09-02 · Archived: 2026-04-02 11:22:29 UTC\r\nAuthored by Alberto Segura (main author) and Mike Stokkel (co-author)\r\nIntroduction\r\nAfter we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus\r\nand cleaner, now we have detected a new version of this dropper active in the Google Play and dropping a new\r\nversion of Sharkbot.\r\nThis new dropper doesn’t rely Accessibility permissions to automatically perform the installation of the dropper\r\nSharkbot malware. Instead, this new version ask the victim to install the malware as a fake update for the antivirus\r\nto stay protected against threats.\r\nWe have found two SharkbotDopper apps active in Google Play Store, with 10K and 50K installs each of them.\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 1 of 12\n\nThe Google Play droppers are downloading the full featured Sharkbot V2, discovered some time ago by\r\nThreatFabric. On the 16th of August 2022, Fox-IT’s Threat Intelligence team observed new command-and-control\r\nservers (C2s), that were providing a list of targets including banks outside of United Kingdom and Italy. The new\r\ntargeted countries in those C2s were: Spain, Australia, Poland, Germany, United States of America and Austria.\r\nOn the 22nd of August 2022, Fox-IT’s Threat Intelligence team found a new Sharkbot sample with version 2.25;\r\ncommunicating with command-and-control servers mentioned previously. This Sharkbot version introduced a new\r\nfeature to steal session cookies from the victims that logs into their bank account.\r\nThe new SharkbotDropper in Google Play\r\nIn the previous versions of SharkbotDropper, the dropper was abusing accessibility permissions in order to install\r\nautomatically the dropper malware. To do this, the dropper made a request to its command-and-control server,\r\nwhich provided an URL to download the full featured Sharkbot malware and a list of steps to automatically install\r\nthe malware, as we can see in the following image.\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 2 of 12\n\nAbusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI\r\nto install Sharkbot. But this not the case in this new version of the dropper for Sharkbot. The dropper instead will\r\nmake a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link\r\nalongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it\r\nnormally did.\r\nIn order to make this request, the dropper uses the following code, in which it prepares the POST request body\r\nwith a JSON object containing information about the infection. The body of the request is encrypted using RC4\r\nand a hard coded key.\r\nIn order to complete the installation on the infected device, the dropper will ask the user to install this APK as an\r\nupdate for the fake antivirus. Which results in the malware starting an Android Intent to install the fake update.\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 3 of 12\n\nThis way, the new version of the Sharkbot dropper is now installing the payload in a non automatic way, which\r\nmakes it more difficult to get installed – since it depends on the user interaction to be installed -, but it is now\r\nmore difficult to detect before being published in Google Play Store, since it doesn’t need the accessibility\r\npermissions which are always suspicious.\r\nBesides this, the dropper has also removed the ‘Direct Reply’ feature, used to automatically reply to the received\r\nnotifications on the infected device. This is another feature which needs suspicious permissions, and which once\r\nremoved makes it more difficult to detect.\r\nTo make detection of the dropper by Google’s review team even harder, the malware contains a basic\r\nconfiguration hard coded and encrypted using RC4, as we can see in the following image.\r\nThe decrypted configuration, as we can see in the following image, contains the list of targeted applications, the\r\nC2 domain and the countries targeted by the campaign (in this example UK and Italy).\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 4 of 12\n\nIf we look carefully at the code used to check the installed apps against the targeted apps, we can realize that it\r\nfirst makes another check in the first lines:\r\nString lowerCase = ((TelephonyManager) App.f7282a.getSystemService(\"phone\")).getSimCountryIso().toLowerCase();\r\n if (!lowerCase.isEmpty() \u0026\u0026 this.f.getString(0).contains(lowerCase))\r\nBesides having at least one of the targeted apps installed in the device, the SharkbotDropper is checking if the\r\nSIM provider’s country code is one of the ones included in the configuration – in this campaign it must be GB or\r\nIT. If it matches and the device has installed any of the targeted apps, then the dropper can request the full\r\nmalware download from the C2 server. This way, it is much more difficult to check if the app is dropping\r\nsomething malicious. But this is not the only way to make sure only targeted users are infected, the app published\r\nin Google Play is only available to install in United Kingdom and Italy.\r\nAfter the dropper installs the actual Sharkbot v2 malware, it’s time for the malware to ask for accessibility\r\npermissions to start stealing victim’s information.\r\nSharkbot 2.25-2.26: New features to steal cookies\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 5 of 12\n\nThe Sharkbot malware keeps the usual information stealing features we introduced in our first post about\r\nSharkbot:\r\nInjections (overlay attacks): this feature allows Sharkbot to steal credentials by showing a fake website\r\n(phishing) inside a WebView. It is shown as soon as the malware detects one of the banking application has\r\nbeen opened.\r\nKeylogging: this feature allows Sharkbot to receive every accessibility event produced in the infected\r\ndevice, this way, it can log events such as button clicks, changes in TextFields, etc, and finally send them to\r\nthe C2.\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 6 of 12\n\nSMS intercept: this feature allows Sharkbot to receive every text message received in the device, and send\r\nit to the C2.\r\nRemote control/ATS: this feature allows Sharkbot to simulate accessibility events such as button clicks,\r\nphysical button presses, TextField changes, etc. It is used to automatically make financial transactions\r\nusing the victim’s device, this way the threat actors don’t need to log in to the stolen bank account,\r\nbypassing a lot of the security measures.\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 7 of 12\n\nThose features were present in Sharkbot 1, but also in Sharkbot 2, which didn’t change too much related to the\r\nimplemented features to steal information. As ThreatFabric pointed out in their tweet, Sharkbot 2, which was\r\ndetected in May 2022, is a code refactor of the malware and introduces a few changes related to the C2 Domain\r\nGeneration Algorithm (DGA) and the protocol used to communicate with the server.\r\nVersion 2 introduced a new DGA, with new TLDs and new code, since it now uses MD5 to generate the domain\r\nname instead of Base64.\r\nWe have not observed any big changes until version 2.25, in which the developers of Sharkbot have introduced a\r\nnew and interesting feature: Cookie Stealing or Cookie logger. This new feature allows Sharkbot to receive an\r\nURL and an User-Agent value – using a new command ‘logsCookie’ -, these will be used to open a WebView\r\nloading this URL – using the received User-Agent as header – as we can see in the following images of the code.\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 8 of 12\n\nOnce the victim logged in to his bank account, the malware will receive the PageFinished event and will get the\r\ncookies of the website loaded inside the malicious WebView, to finally send them to the C2.\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 9 of 12\n\nNew campaigns in new countries\r\nDuring our research, we observed that the newer C2 servers are providing new targeted applications in Sharkbot’s\r\nconfiguration. The list of targeted countries has grown including Spain, Australia, Poland, Germany, United\r\nStates of America and Austria. But the interesting thing is the new targeted applications are not targeted using\r\nthe typical webinjections, instead, they are targeted using the keylogging – grabber – features. This way, the\r\nmalware is stealing information from the text showed inside the official app. As we can see in the following\r\nimage, the focus seems to be getting the account balance and, in some cases, the password, by reading the content\r\nof specific TextFields.\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 10 of 12\n\nAlso, for some of the targeted applications, the malware is providing within the configuration a list of ATS\r\nconfigurations used to avoid the log in based on fingerprint, which should allow to show the usual username and\r\npassword form. This allows the malware to steal the credentials using the previously mentioned ‘keylogging’\r\nfeatures, since log in via fingerprint should ask for credentials.\r\nConclusion\r\nSince we published our first blog post about Sharkbot in March 2022, in which we detected the SharkbotDropper\r\ncampaigns within Google Play Store, the developers have been working hard to improve their malware and the\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 11 of 12\n\ndropper. In May, ThreatFabric found a new version of Sharkbot, the version 2.0 of Sharkbot that was a refactor of\r\nthe source code, included some changes in the communication protocol and in the DGA.\r\nUntil now, Sharkbot’s developers seem to have been focusing on the dropper in order to keep using Google Play\r\nStore to distribute their malware in the latest campaigns. These latest campaigns still use fake antivirus and\r\nAndroid cleaners to install the dropper from the Google Play.\r\nWith all these the changes and new features, we are expecting to see more campaigns, targeted applications,\r\ntargeted countries and changes in Sharkbot this year.\r\nIndicators of compromise\r\nSharkbotDropper samples published in Google Play:\r\nhxxps://play.google[.]com/store/apps/details?id=com.kylhavy.antivirus\r\nhxxps://play.google[.]com/store/apps/details?id=com.mbkristine8.cleanmaster\r\nDropper Command-and-control (C2):\r\nhxxp://mefika[.]me/\r\nSharkbot 2.25 (introducing new Cookie stealing features):\r\nHash: 7f2248f5de8a74b3d1c48be0db574b1c6558d6edae347592b29dc5234337a5ff\r\nC2: hxxp://browntrawler[.]store/ (185.212.47[.]113)\r\nSharkbot v2.26 sample:\r\nHash: 870747141b1a2afcd76b4c6482ce0c3c21480ae3700d9cb9dd318aed0f963c58\r\nC2: hxxp://browntrawler[.]store/ (185.212.47[.]113)\r\nDGA Active C2s:\r\n23080420d0d93913[.]live (185.212.47[.]113)\r\n7f3e61be7bb7363d[.]live (185.212.47[.]113)\r\nSource: https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nhttps://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/"
	],
	"report_names": [
		"sharkbot-is-back-in-google-play"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434055,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af01c0ffdbc30336714d9f0679770b58888f495e.pdf",
		"text": "https://archive.orkl.eu/af01c0ffdbc30336714d9f0679770b58888f495e.txt",
		"img": "https://archive.orkl.eu/af01c0ffdbc30336714d9f0679770b58888f495e.jpg"
	}
}