# Google is on guard: sharks shall not pass!

**[research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/](https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/)**

April 7, 2022
_Research by: Alex Shamshur, Raman Ladutska_

## Introduction


April 7, 2022


When you search for Anti-Virus (AV) solutions to protect your mobile devices, you don’t
expect these solutions to do the opposite i.e. make devices vulnerable to malware.

This what the Check Point Research (CPR) team encountered while analyzing suspicious
applications found in Google Play. These applications pretended to be genuine AV solutions
while in reality they downloaded and installed an Android Stealer called Sharkbot.

Sharkbot steals credentials and banking information. The malware implements a geofencing
feature and evasion techniques that makes it stand out in the field. It also makes use of
**Domain Generation Algorithm (DGA), an aspect rarely used in the world of Android**
malware. Sharkbot lures victims to enter their credentials in windows that mimic benign
credential input forms. When the user enters credentials in these windows, the compromised
data is sent to a malicious server.


-----

Sharkbot has a handful of tricks up its sleeve. It doesn t target every potential victim it
encounters, but only select ones, using the geofencing feature to identify and ignore users
from China, India, Romania, Russia, Ukraine or Belarus.

_Figure 1 -Geofencing feature as implemented in Sharkbot._

Evasion techniques are also a part of Sharkbot’s arsenal. If the malware detects it is running
in a sandbox, it stops the execution and quits.

_Figure 2 – Evasion technique encountered in Sharkbot._

In the Google Play store, we spotted a total of six different applications that were spreading
Sharkbot.

_Figure 3 – Icons and names of the applications we found._

These six applications came from three developer accounts, `Zbynek Adamcik,` `Adelmio`
```
Pagnotto and Bingo Like Inc . When we checked the history of these accounts, we saw

```
that two of them were active in the fall of 2021. Some of the applications linked to these


_Figure 3 – Icons and names of the applications we found._


_Figure 1 -Geofencing feature as implemented in Sharkbot._


-----

accounts were removed from Google Play, but still exist in unofficial markets. This could
mean that the actor behind the applications is trying to stay under the radar while still
involved in malicious activity.

The applications removed from Google Play were downloaded and installed approximately
[15 thousand times. Following information we got from www.appbrain.com.](https://www.appbrain.com/)

_Figure 4 – Statistics of the developers’ accounts. Unpublished applications are outlined._

After spotting the applications that spread Sharkbot, we immediately contacted Google and
reported our findings. After a fast yet thorough examination, all the applications that were
found spreading Sharkbot were permanently removed from the Google Play store.

However, the Sharkbot malware is still active. In this article, we provide a deep technical
analysis of Sharkbot and reveal the steps that helped us to spot the malware-spreading
applications on Google Play.

## Timeline

February 25, 2022 – We discovered 4 applications of SharkBot Dropper on Google
Play.
March 03, 2022 – We reported Google about found applications.
March 03, 2022 – NCC Group published their research on Sharkbot Dropper.
March 09, 2022 – Reported applications removed from Google Play.


_Figure 4 – Statistics of the developers’ accounts. Unpublished applications are outlined._


-----

March 15, 2022 – One more SharkBot dropper discovered on Google Play, 0+ installs.
Same day we reported this application to Google.
March 22, 2022 – One more SharkBot dropper discovered on Google Play, 0+ installs.
Same day we reported this application to Google.
March 27, 2022 – newly found SharkBot dropper’s removed from Google Play.

## Technical analysis

We already mentioned that Sharkbot implements evasion techniques and a geofencing
feature, but these are not its only noteworthy tricks. Another distinctive aspect present in
Sharkbot is the use of DGA, which is rarely seen in Android malware. With DGA, one sample
with a hardcoded seed generates 7 domains per week. Including all the seeds and
algorithms we have observed, there is a total of 56 domains per week, i.e., 8 different
combinations of seed/algorithm.

Speaking of its main functionality, Sharkbot implements the traditional toolkit for Android
bankers and stealers. As a vivid example, we saw the abuse of the Accessibility Service
which provides the application with access to all the data which is seen by the user and also
allows the application to interact with an interface as though as it were a person.

During our observations, 27 versions of the bot were discovered. The main differences
between the versions are different DGA seeds as well as different botnetID and ownerID
fields. For more information on the different versions and a change log, see the Appendix.

## Commands

The Sharkbot malware implements a total of 22 commands that allow various kinds of
malicious actions to be executed by a Command-and-Control server (CnC) on the infected
device.

This table shows the commands used and their descriptions:

**№** **Command** **Description**

1 smsSend Requests permission for sending SMS.

2 updateLib Downloads and stores a jar file with java code.

3 updateSQL Updates a given option in local DB.

4 updateConfig Updates the different options.

5 uninstallApp Uninstalls a given application.

6 collectContacts Sends the contacts list to the server.


-----

7 changeSmsAdmin For the user to change the default SMS manager.

8 getDoze Disables the battery optimization, so Sharkbot can run in
background

9 sendInject Creates the “Injection” window from a given URL.

10 iWantA11 For the user to enable Sharkbot as Accessibility Service.

11 updateTimeKnock Updates the “TIME_KNOCK_ADMIN” option.

12 sendPush Displays a PUSH-notification for the user.

13 APP_STOP_VIEW Prevents the user from activating the application.

14 Swipe Imitate the user’s swipe over the device’s screen.

15 autoReply Sets up an autoreply message on Push-notifications.

16 removeApp Silently uninstalls a given application.

17 serviceSMS Sends SMS messages to the provided phone numbers with a
provided text.

18 getNotify Turns on Notification Listener permission for the Sharkbot
application.

19 localATS Starts given applications and logs all Accessibility Events.

20 sendSMS Sends an SMS with given text to a given number.

21 downloadFile Downloads a file from provided URL and stores it locally with an
APK extension.

22 stopAll A command is transferred to the jar-file, dropped with the
updateLib command.

If unknown command arrives from server, then this command is sent to jar-file, dropped with
```
updateLib command.

```
Below we provide a more detailed description of the commands supported by the malware.

### smsSend

Checks if permission for sending SMSs is granted. If not, then the user is asked to grant
permission to send and read SMSs.

### updateLib


-----

With this command, the CnC sends code for overlay injects for the user s applications. The
code is saved to a local jar-file. We named this module jarMod. The CnC can send
commands to jarMod, including updateConfig, changeSmsAdmin and any uncategorized
command.

_Figure 5 – Code block of executable dropper._

### updateSQL

**Sharkbot stores local configuration in an SQLite DB (database) in the file** `database.db or`
```
sharked.db located at the path /data/data/<package_name>/databases/ . Values in

```
the DB are stored in encrypted form.

_Figure 6 – Example of a local database._

With the help of the updateSQL command values in the database can be updated.

### updateConfig

With this command, the CnC address and the name of the application for injection can be
updated:


_Figure 5 – Code block of executable dropper._


-----

_Figure 7 – Storing new configuration._

### uninstallApp

Uninstalls the application with the provided package name:

_Figure 8 – Uninstalling an application._

### collectContacts

Collects and sends contacts to the server.

### changeSmsAdmin

Sends the name of old and currently default SMS applications to the CnC, and sends a
command to the previously downloaded jar code (see updateLib command).

_Figure 9 – Handler of the changeSmsAdmin command._

### getDoze

Used to disable battery optimization for Sharkbot’s package.


_Figure 7 – Storing new configuration._


_Figure 9 – Handler of the changeSmsAdmin command._


-----

_Figure 10 – Disabling battery optimization for the Sharkbot application._

### sendInject

Performs overlay inject with a form from a provided URL.

_Figure 11 – Performing inject._

### iWantA11

Used to enable the Accessibility Service for Sharkbot:

_Figure 12 – To enable the Accessibility Service for Sharkbot._

### updateTimeKnock

Set the field “TIME_KNOCK_ADMIN” in the local DB to the provided value.

_Figure 13 – Updating knock time._

### sendPush

Shows the user a push message with provided text.

_Figure 14 – Code to show a push-message to the user._


_Figure 11 – Performing inject._


_Figure 10 – Disabling battery optimization for the Sharkbot application._


_Figure 14 – Code to show a push-message to the user._


-----

### APP_STOP_VIEW

With this command, the CnC sets up package names for which the Accessibility Service
prevents the user from accessing these applications:

_Figure 15 – Prevent the user from accessing an application._

By default, 2 package names are used: `com.android.settings and`


_Figure 15 – Prevent the user from accessing an application._

```
com.samsung.accessibility

```

_Figure 16 – Default applications to prevent access._

### Swipe

With this command Sharkbot can imitate the user’s swipe over the device’s screen:

_Figure 17 – Emulating swipe sequences._

This appears as if it was designed to unlock an application or the whole device.


_Figure 17 – Emulating swipe sequences._


-----

### autoReply

This is not an actual command, but a field in the `updateConfig` command. With the
autoReply field, the server sends a message to imitate an answer on push events. The
command consists of an array with two fields in each element of the array:

_Figure 18 – Example of the autoReply field._

It is possible to set different messages for each application. On Figure 18, you can see
messages for two different applications: WhatsApp messenger and Facebook messenger.

In Figure 18, we caught the test period for the development of the autoreply feature. We can
say that because both messages target www.google.com.

You can also use one message for all notifications. Here is a variant from the production
usage:

_Figure 19 – One message for all notifications._

### removeApp

This is not a command, but a field of the `updateConfig command. With the` `removeApp`
command, the server sends a huge list of applications which should be uninstalled from the
user’s device. At present, this list contains 680 applications.

_Figure 20 – Uninstalling applications._

## Network


_Figure 20 – Uninstalling applications._


_Figure 19 – One message for all notifications._


-----

There are very few types of malware that can work without communicating with a CnC
server; stealers and bankers are the ones which can’t. If a malware operator has several
servers, then it’s easy to block access to them either by a corporate firewall, or with the AV
software installed on the device. After the CnCs are blocked, an operator can change the
domain name of the CnC server but how are already installed clients supposed to learn
about the server change? This is where Domain Generation Algorithm enters the scene.

DGA is an algorithm by which a malicious client and malicious actor can change the CnC
server in concert, without any communication. DGA is a piece of code which runs on a client
and generates dynamic names for the CnC server, so if today one CnC server is blocked
then within a day, a week or a month, a new name for the CnC will be generated and used.
This algorithm complicates the process of blocking malware operators’ servers.

Usually DGA consists of two parts: the actual algorithm, and the constants used by the
algorithm. These constants are called DGA seeds.

As we mentioned earlier, implementing DGA is rarely observed in Android malware, but
Sharkbot is an exception.

Before the connection to the DGA domains is made, Sharkbot attempts to connect to the
static URL hardcoded inside:

_Figure 21 – Static CnC URL._

Only if the static server does not respond, Sharkbot uses an embedded DGA procedure to
get relevant domains for the current date and then attempts to connect to them one by one:

_Figure 22 – DGA code._

The final string for DGA consists of several fields:

Current year (using since 02.09.2022)
Current week number
seed-word
Key `pojBI9LHGFdfgegjjsJ99hvVGHVOjhksdf`

We noticed that the seed-word is changed across samples. We caught the following variants:


_Figure 22 – DGA code._


-----

sharked
“traff”
“jarmi”
“” (no word)

_Figure 23 – Using seeds in domain name generation._

### Protocol

The exchange with the CnC server happens over HTTP with POST request on path /. Each
request and answer is encrypted with RC4. The key for RC4 is transferred encrypted with the
RSA public key. The request consists of 2 fields:

**rkey: Used to transfer the RC4 encryption key. The key is encrypted with the RSA**
public key.
**rdata: Used for data, encrypted with RC4.**

_Figure 24 – RAW request to the server._

The answer consists of the encrypted data only.


_Figure 23 – Using seeds in domain name generation._


-----

_Figure 25 – RAW answer from the server._

In a clean view protocol you can find the JSON data. The bot acts as a client, and the CnC
acts as a server. A typical request from the bot looks like this:

_Figure 26 – Clear request to the server._

When a server has no commands to send, it answers with “ok”:

_Figure 27 – Server answer without command._

When a server has commands for the bot, the answer looks like this:

_Figure 28 – Server answer with command._

These are the fields in the answer:
```
   dataCommand : Type of packet.
   command : Type of command.
   CommandID : We observed this field is increased by one for every command, and is

```
sent by the server.
```
   data : Command data, whose contents depend on the type of command.

```

_Figure 26 – Clear request to the server._


_Figure 25 – RAW answer from the server._


-----

### Keep alive

Periodically, with a fixed period of time, the bot sends a knock-packet to the server. By
default, this packet is sent every 30 seconds. The server can change the time period with
the command `updateTimeKnock . Here is how a knock-packet looks :`

_Figure 29 – Keep-alive packet._

The value for a `knock field is chosen at random:`

_Figure 30 – Choosing the knock value._

## Infrastructure

At the time of publication, we counted 8 IP addresses which were Sharkbot’s CnC servers at
different times. During our research of the infrastructure, we spotted a field `commandID` in
some answers from the server. This field is used to identify each command sent from the
server to the client.

After more detailed analysis, we can assume that this field is increased by one for each
command sent from the server. During our experiments, we noticed that this value does not
depend on the particular CnC server but instead is a common value for all of them.

Here are the logs of the requests and response exchange with different servers on January
25 2022 one after the other:


_Figure 30 – Choosing the knock value._


-----

Server `mnbvakjjouxir0zkzmd[.]xyz with IP` `31[.]214.157.112 :`

_Figure 31 – Request to the server, at 15:45:12.487._

_Figure 32 – Answer from the server, at 15:45:13.80._

Server `mjaynxbvakjjouxir0z[.]xyz with IP` `109[.]230.199.99 :`

_Figure 33 – Request to the server, at 15:48:06.448._

_Figure 34 – Answer from the server, at 15:48:07.45._

As you can see, the value of `commandID changed by exactly one. From this we can`
assume even more:

There is one real server, and the others work as relays.
We can use the values of the field `commandID to evaluate the activity of the server`
sending commands to clients.


_Figure 33 – Request to the server, at 15:48:06.448._


_Figure 32 – Answer from the server, at 15:45:13.80._


-----

Using the value of the commandID field, we can estimate the activity of Sharkbot s servers.
We calculated an average increase of the commandID value per hour for the period from
January 26 to March 23 and got the following result:

_Figure 35 – Sharkbot server activity._

We can see that activity increased, with the peak at the beginning of March. This correlates
with the active use of Sharkbot’s dropper on Google Play.

The following chart shows the number of unique IP addresses encountered in the period
from February 14 to February 20:

Blue bars denote the count of unique IP addresses per day.
Red bars denote the count of unique IP addresses, excluding the ones already seen in
the previous days.


_Figure 35 – Sharkbot server activity._


-----

_Figure 36 – Unique IP addressed statistics observed in the middle of February._

During our observation for this particular week in February, we saw approximately one
thousand unique IP addresses in total.

The following chart shows the location-based statistics. The main targets are Italy and the
United Kingdom.


_Figure 36 – Unique IP addressed statistics observed in the middle of February._


-----

_Figure 37 – Regional statistics._

## Droppers

Now that we described different aspects of Sharkbot, to complete the picture, we discuss the
methods by which Sharkbot spreads. As mentioned at the beginning, the malware is
downloaded and installed by the dropper applications in Google Play which masquerade as
AV solutions. These are the applications:

com.abbondioendrizzi.tools.supercleaner
com.abbondioendrizzi.antivirus.supercleaner
com.pagnotto28.sellsourcecode.alpha
com.pagnotto28.sellsourcecode.supercleaner
com.antivirus.centersecurity.freeforall
com.centersecurity.android.cleaner

They have some additional tricks.

The droppers detect emulators and quit if one is found. No communications with CnC are
started in this case:


_Figure 37 – Regional statistics._


-----

_Figure 38 – Emulation evasion and region restrict code._

There is also a geofencing technique implemented inside the droppers, as can be seen in
the image above. The malicious part of the applications is not triggered if the locale is set to
China, India, Romania, Russia, Ukraine or Belarus.

The part of the application controlled by the CnC server understands 3 commands:

**b: Download and install the APK file from the provided URL.**
**c: Store the autoReply field in a local session.**
**d: Restart the execution of the local session.**

All of these applications request the same set of permissions:

_Figure 39 – Permissions._

The applications register the service to get access to Accessibility Events:


_Figure 39 – Permissions._


-----

_Figure 40 – Accessibility Service description._

Below we describe the key parts of the malicious code in the applications.

### Accessibility Service

With this command from the CnC, an application can abuse the Accessibility Service for its
own needs. The Accessibility Service is able to execute different “tasks”, which are extracted
from the Intent:

_Figure 41 – Setting up the Accessibility Service “task.”_

This “task” is later used in the event’s dispatcher. For example:

_Figure 42 – Accessibility Service “task” dispatching._

The “task” describes which actions should be performed for particular events. For example,
the default “task” looks like this:


_Figure 42 – Accessibility Service “task” dispatching._


_Figure 40 – Accessibility Service description._


-----

_Figure 43 – Accessibility Service “task” by default._

This “task” instructs the Accessibility dispatcher to perform a `CLICK on a node, which`
contains a text `Alfa Antivirus, Cleaner .`

The Accessibility dispatcher supports the following actions:

**CLICK: Performs click-action, on a chosen control.**

**SCROLL_BACKWARD: Performs back-action, on a chosen control.**

**intent: Performs permission request for:**
```
   android.settings.MANAGE_UNKNOWN_APP_SOURCES or
   android.settings.action.MANAGE_OVERLAY_PERMISSION

```
During the execution of a given “task”, every event is sent to the CnC:

_Figure 44 – Sending an Accessibility event to the CnC server._

### APK install

The malware can drop and install the APK file on the user’s device:


_Figure 43 – Accessibility Service “task” by default._


-----

_Figure 45 – Code to install the application._

_Figure 46 – Code to drop the application._

### Notifications


_Figure 46 – Code to drop the application._


-----

The stored field `autoReply works the same way as` `autoReply for Sharkbot, as`
described earlier. Malware answers with a message provided by the CnC to application,
which generates a push notification.

## Dropper Summary

As we can judge by the functionality of the droppers, their possibilities clearly pose a threat
by themselves, beyond just dropping the malware. The droppers are able to inspect and act
on all the UI events of the device as well as replace notifications sent by other applications.
In addition, they can install an APK downloaded from the CnC, which provides a convenient
starting point to spread the malware as soon as the user installs such an application on the
device.

## Conclusion

In the ever-changing contemporary (cyber-)world, nothing should be taken for granted. If a
new AV solution appears in Google Play today, there’s no way to guarantee it won’t turn out
to be a malware spreading threat tomorrow. This is the exact case we observed with the
Sharkbot malware.

In this spreading scheme, the malware itself is not uploaded to Google Play but rather the
intermediate link is, which masquerades as a legitimate software. As we can see by more
than 15,000 installations for all the applications in total, people can be lured by a beautiful
icon and a promise to “protect their devices.”

The Check Point Research Team is constantly monitoring this and other threats in the mobile
landscape, and we immediately notified Google of the malicious behavior we encountered.
Despite a fast response from Google, which removed applications linked to threat actor
accounts, more attempts were made in Google Play with more droppers from different
accounts. They were all subsequently removed as well, but the damage from 15,000
thousand installations was already done.

Google Play Protect’s solid reputation should not decrease user awareness that threat actors
are constantly evolving their malware and looking for new schemes to execute this malware
on victims’ devices. Our advice to Android users:

Install applications only from trusted and verified publishers.
If you see an application from a new publisher, search for analogs from a trusted one.
Report to Google any seemingly suspicious applications you encounter.

## Protections


-----

Check Point s [Harmony Mobile Prevents malware from infiltrating mobile devices by](https://www.checkpoint.com/harmony/mobile-security/mobile/)
detecting and blocking the download of malicious apps in real-time. Harmony Mobile’s
unique network security infrastructure – On-device Network Protection – allows you to stay
ahead of emerging threats by extending Check Point’s industry-leading network security
[technologies to mobile devices.](https://www.checkpoint.com/quantum/maestro-hyperscale-network-security/)

## Threat Emulation protections:

Sharkbot.TC.*

## IOCs

 Hashes and package names

### Sharkbot dropper

Package names:

com.antivirus.centersecurity.freeforall

com.centersecurity.android.cleaner

com.pagnotto28.sellsourcecode.supercleaner

com.pagnotto28.sellsourcecode.alpha

com.abbondioendrizzi.tools.supercleaner

com.abbondioendrizzi.antivirus.supercleaner

Hashes:

d4ba0965018aab23f02308a558e914b5ef3d03a4c90989abafd6555a9b89bf09

2c5b40ab7b1f05bc00a07f7bdcaa15920031aa4a3158c23488446076980d4e0a

7f55dddcfad05403f71580ec2e5acafdc8c9555e72f724eb1f9e37bf09b8cc0c

fe1b3b43579f34fbd78b1100d51601500d7eebae74d6ef6e783aae9ac4168c83

e5b96e80935ca83bbe895f6239eabca1337dc575a066bb6ae2b56faacd29ddaa

3ae682895af9504d3ee66ca9508066cd46d9679316bc06d206d6fae4cba56244

71c78101f7792fe879a082e323fed89c5e4a43132d01d3f79ed02afd8db45497


-----

d70a716fa7d20e01a05f753cb4d4a2150b133b12e73bdfbfe8b85eb61bc9ac43

187b9f5de09d82d2afbad9e139600617685095c26c4304aaf67a440338e0a9b6

35662d2e0c7f15b75b3b48311dae88e38929336cb43dd93df03b58c6221bc3db

20e8688726e843e9119b33be88ef642cb646f1163dce4109b8b8a2c792b5f9fc

4f6d798790d0322e365cd6901f1bb77975974a0f5b9bb5ac79abf05ffded3699

8f6875af2c7c6a75c3614fa95802e56bda4ee817646887b376e9fa8c0efad0bf

8587fe68f6a0cfe339c3e7947f52d8921c2e68f673165a624ddb203a184291fd

c07ec33a4e4533dc445c5e71d3fc3fea8d448844a2541fe91b014f85f677939c

748368c90f214069c12bc8947f07adc27c9531aa70505a5f146ddd0e300bebd4

c6cc90ed003a0acb501a2d805c16c6b0380ac510392642dc774c3a686cb028ee

c4a0901e140f3d253f8a6ddbd91d754d098450f5639b48defe7fa73c41b92737

### Sharkbot

**Hash** **Version**

c9fe0ecacd2046506b6330ae052171e1ba7709ecf5212cd84b95c1a2e7c2e22a 1.12.0

0324493329de0e0d90b93e1515ba6bdd1616d92dcdefd6956b169b18dd2955d0 1.18.0

03b65bd943fd499a076b8e5032dda729c2086642c313d228462fcb7caeadc10b 1.18.0

10dac61e734578db38a6f28e4740edf55b3c20129c4d016c3f9d2520f39dc37b 1.18.0

2a3554231a454092319014eaa86bcd4cccaa621a21cc1db4ec4a4670a1b5dde7 1.18.0

57f8a57320eeed2f5b5a316d67319191ce717cc51384318966b61f95722e275f 1.18.0

5806e7209ca645de8ff2e1afeca06e2819ecdb4905c3063156b8584a54637bb9 1.18.0

84baa47fccbb8444ca41a9b4deb5117174b82f0a834d2ed603428a9ce96f1034 1.18.0

966c64504b9c0899846c6c2011decca0c540707536f8f4da2bee000b65be431c 1.18.0

a8ab9045a6bc10e0b1148dc8c4b7dc087ca5f5d2ad6bff7bc2dab540bee8e634 1.18.0

aa627b6a4558305ab581991bb5a6f576963e40cda91321165967041d8d175194 1.18.0

c25c14c7204a33ff91f456217f123adcdd507e45a85ea5d47fec56deb4616861 1.18.0

d07cbb4ba88d815d3ecd23e6da699a4603029aa875b706090dba17db50d2d182 1.18.0


-----

d389e62433111fccb61d25a0b0f3dc44f0ece11121fd6e42afe633edb14e113a 1.18.0

02a3e0a3d922423dbf5028bc27ea623d8d0f3cd93521bf5bb3b6667dede16fbd 1.26.0

0a5c3a3b6bc50bd48613a4f516e6d6158a000250ce049dc3fa6ddd02ed52db11 1.26.0

aaba87e288a8f07f3b61099998b0ab4e0269450c0f6572c48b041bc983159457 1.26.0

fb7e8cd53038cefe3bb07043d5fc3cc48c6c1de67d563da1ed56cd0fa360c526 1.26.0

2de6a4c5891a601b2d5b8c81af182738c7cec32804b64d7f9026fb03f3a55d8e 1.27.0

37bacbe023d67ed990e5e5bdd2497878e0642b46a30e169f25313054d0e64121 1.27.0

bee3fc6b875e49edaa983ef9d38d0bcafe82abca82e684ef4fdca6df0c695c8b 1.27.0

dbb5e5d553f402d7afd55dd177b1e740d289f65108e3a4e91cc2bad33f2f0327 1.27.0

f5bc9b344ee9edf37a24e77a66b8430b7a4636c5475e404c06370eaa7e94cd8b 1.27.0

fd95e999f8d477043ea6012768bee417a989a4e925a641b9e6c4ff74d798dec6 1.27.0

8f45831b1df8fe44111e35b05271f6ec1796b03c104a67cd6481bf93f2affe86 1.31.0

9cbf93cc90a409673daf8c8c9b9640ac0a3c23629159a380a5bfb740c441e581 1.31.0

6aefc2c4727ce80f03867f356df462f1a1ce21c72801b877fdb95e67cd00d6a4 1.37.0

c69149024f25607a9b8a412dd9bdccc813f268340d0d857ccf0f7526557ab636 1.38.1

d4aed2d47ba9d7e9ba79fb9461308e62b5d6444b30012ee43f2f84e53f0f28b8 1.38.1

23fe807079bfcb1f3b6d28051cc136f84faeb334fdb64e7448bee52eab14330d 1.39.11

4f1822817690d89943e7e57468ab4366e360772c0adce67bf74a7224b3732dee 1.39.11

37e05b8a4e8183fb1c98edd64c474e4bf2e3be5de003decddf53aa046112b87e 1.40.0

ebd161adcb890f9107b7e6d41a370972823142cd61d406ad939b1c1bc26bedfb 1.40.0

0b61ffe8f0139b5fe0c6fd6cd8b37df00b1a19556ce70b9504c7f18e3c0a787f 1.41.0

2e18ee5a3023670c4fa3f3ec1e9ef972079cca9c51fb7912478e226bcef6f0c0 1.41.0

3d71b0f50d2722547a7ea38436317e6542b7147a8fcfc6fc1bbdd291a6e2c294 1.41.0

872943214e60b8a9fb67b3e85ba3cd5d8aa83b74e8466a02291c3cc2ddd8cd2a 1.41.0

ff54fff11c2279ca103dcfeb536b95b6ebf22129197525d55c5feff0b326c999 1.41.0

13641f7a0d3a2b4d0dc62b33089358a3fa4df22243dd3f852d8911179d65d779 1.42.1


-----

473dfac64c24d62a0c27a2f363ec3fd5606f2d3a0e5676292dc1c435a32c9a13 1.42.1

66ab162b73a4d8085cb7e066faa9a24ff751ffbb1edef7ee46b33b09362337a5 1.42.1

7479e6c35245f4863ca05c126b12571502827b7dbf3e11542d835ac929f8f1fb 1.42.1

fbd627182d6c1d4bd0e6405c0a9ce9a1c1c25f39c1df4b5a4861f9bcf915a213 1.42.1

079b03434b4885d436cb36620fed35f0da07f722e6ad29736fb611adfb35a3cf 1.42.4

0c55bb8ea38032270fed30e536b80993f87b16fe69772c1563c8ca18e587975d 1.42.4

30fa66d5a98b83148289e27cfcdda87e42374bb53021b379e517b734853dd791 1.42.4

33d19ada736ac56d738e5eb68c831614424b8c3f8ec0126e17bf3c93c29549e6 1.42.4

50847eed9f204a5e8d899fd9c2a09a85262cdaab2499d9abd05b966bc2d2cc8d 1.42.4

7c3d931c4389d2113e37fde5fa06b9c45055fd8599c2adf451588f891b52dce4 1.42.4

aa24cfd20700fdce590f54e692f641aca47821a59d422c12f8a2f70e6aac301e 1.42.4

b2500de649e845f6336236bb0f859027ae8a8b4a0b6910328d9dc4cd21b4ca37 1.42.4

b63adb9a145a4aeb2ec2636dd6b4307295a0dc54642ae4e895f718384cf4608b 1.42.4

f0ff0e27467dcc3b5d934de1a7788cefb14a2bd22ac23ca6534c43bf64be94fa 1.42.4

15a0ca365092b303cadc5e0d7bc5c9d7cdc90a4a3ecd2b4e8e75b7149100e405 1.42.5

6904547a8a724468fddf8fdd33bd82d89483d8bc7674aa6016d952aa5199399f 1.42.5

b3a1bc2792fae1730c9c8c32b08aa031f0961830343db83a23ae99e0ea16283c 1.42.5

b5fbd641eb69fc3c5c816868b98570a7530409541bc0877fa81a82b56ed4c04d 1.42.5

c31e83f0f9241f3d6275b45634ab5602e6d8e2778b8958fffd4edd1f8c73dacb 1.42.5

de6b629e93f2f9e7373f0066d4454eb88a276623f5bd10f4fce0f819cd02f69f 1.42.5

f0a3ef968c859891c3ab60fec38fecebdc2e48ec3b1ff57170f0b8edd8080b55 1.42.5

f397700f3af3c21bd9450bdc18334e91c63e3d8b3e94232a2174be9c129d764e 1.42.5

315872529f5c656ac919eeda0fcba7bf82294581face5af1f3847b7a2ae7082a 1.42.6

45630149742ae37fbcd828c43ef9d08e7a0b3bfa04edb62837dc3deab7499131 1.42.6

58cb82a047cbc59f8e256600e3c44fd7474dee48a97a6fb1aeefbc3de0d50a96 1.42.6

7af7b10d338471fbbb69899b1c85604444735752d676dfb36113d2453c4cfd17 1.42.6


-----

c287221cdec249058870a8a47fc52d8f500295f44df1afa44f28cb5175638ac1 1.42.6

e8b473d7d66e149051d6d1c22d56b80c3874ce715f010f99065b83eaf8192885 1.42.6

e9fcb3e3850cb24ddbe57d8224d21a4381c891dcf0ca7b38899d278ca2cd9752 1.42.6

fac5bdbc60eab9a711c4b7765fe4e060de14dd207b9393b8366b2da3eae8ec44 1.42.6

1ee32c17e31472c7a86813a9c4bbdfcb38b1cac1804affdbe59a229476b69993 1.43.0

27118fec3774c8e001ecd1ffd73c278349e90ded4c6327fbdfcefd627ca614de 1.43.0

464957f5382596adac7a2a29999045c966c09a5ef65c03faa4d9ef40af3c3a3d 1.43.0

473cb6b55b7fa3e56a7e43b6d07bc6098029c743d6e50b39bfc664065d595ba5 1.43.0

47586df3f433428a3022bb3d48cdfc84237abd8aad1703adc29162feb3c97111 1.43.0

6e1f42305c28920c3d0bce6c7b664847ba3868c8b4dd5f5f0e6b1f76825468f0 1.43.0

9fc55975b553cccebb6184715c183d51bf494f4c9069a05e568868f6fe012df2 1.43.0

d61b3a409c0f7aa3d81649c8aa1a32827ea5c96204a38b136e2b5d891749ff19 1.43.0

1fc21d521b8ef4892020add6ddc723a256b7bf4f206ad02a5b5f06f49119c607 1.43.1

4483fdef4a4daef9cf9bde26b60701a9637e92e36da465dbb7da933e183013a9 1.43.1

500c26fe5d4049ef91082d890d7fa70e0a142fde0f91c0494e38850a04a59171 1.43.1

8a2e416b00f7a1036af0614657336beb28cd261f4c5737e2a406b7867c8a5305 1.43.1

e13caa4a61ca1cd09f368d863acfc774f2cfaec1c89b096f6ec71254e89edcbd 1.43.1

ecd72ab02615241fb8998021f5785f5286b350892bd8b8b80bd8e120333797ca 1.43.1

0661a2e3c736eed8bc780f52d738cb40d8784e9af626c793b72a234fb2e649e6 1.43.3

772b549206b55f17cc61c636d5ceccd6d1de80979d8e016954ff47929a7f410a 1.43.3

8f247fb8429dd227043656034b9bf589ddb9e73991e96f484ad1268b2178870b 1.43.3

ba25a5ff9827d17de38f069eb6e529e0a245fa74088084ea51708d628c68a7aa 1.43.3

4683704a03b22fcc204d7289ce4ba5566570d630554b86328b2b9091b160c3a9 1.43.5

bff1c2b1861cdec5d099904d20bddb877056a274451fe9d245d36699d7d23736 1.43.5

c93fcd293cc6a51b4012bd80e8050b4eb2ee886fc6fc3d9682cfc4907482c60e 1.43.7

f845d24f6abfa140575941e4a5b006e924a0b9cbf6b70c750293e1eb8c1bb713 1.43.7


-----

57e9b2ac2694b69890bd5f2c53541681840e095dfe8fbfb4e739222cc280b1ae 1.44.0

859a1143f5640d3ae86912cf92ad77fdde9065da5745266aaf4552e8e692c5cc 1.44.0

3b549fa3307e0a1ac12a01044bbbd18bfc5b7742ec04faeef9b40a3a59bf8b00 1.44.1

4f60a24ee01be66f2f6a0b6049b93ca9c2d5cabb8b209b0ae37d78800063d454 1.44.1

565bfc4e71d53447bcfb383001a2668fead68b8d8ce515c0db5ab4d56b3b3add 1.44.1

da5d8415460ddabd4289a2e081fcf16cb6d07b91171e6575389ded2d5ba0e3b2 1.44.1

05af7baa976a5d5c163a57f1c19754eadec41de35970cfa1f83ed965c32316d2 1.45.0

5ca8d5a31590431ac86569beedcc350ca3dca75168f8aeb268da7defe93674ef 1.45.0

6c199ad0700fc0f1e0a560f1c8a4aa899e18f3c7ed499746a3ed9741dccba27f 1.45.0

983dee0dac41a8f1f1aaf9611ae065113f2582160b3d7e24c8638ee5a7d11e87 1.45.0

75d019620ed05b67f93984ae721bdcef685d61caebbd33bfa35ecb7b47b97664 1.48.4

77944a315543accae531af01a13d1fcbbe01f3a72ce19b00ac7c3b73c9c63fd3 1.48.4

4b7945e3756abb48e2a9b62d8a3a7f633811a1073a20a7d46c121e29b41b6c31 1.63.0

41e25852036f2f3bb17de1e3791496b3522e8082f6c618dcf385f66d79e7bb18 1.63.4

801cb9c245af9addb0df0bb3444a70c48edc964c781995b387b7cde12d51ec1f 1.63.4

abf66663dc7c90e4ce2d7430280ce982f895e15918aa13ce6fe62f573b2fb0d0 1.63.4

2159391357cd38f28c95f2a47f7685bd5919a0ed93d8cab72ad59b5f571b7389 1.64.0

9701bef2231ecd20d52f8fd2defa4374bffc35a721e4be4519bda8f5f353e27a 1.64.1

be7bdaaf9409898add0dcf43e2d5b6660fdb5d512d132b7706a24b0b6020999e 1.64.1

## Network

### Static domains and URLs

sigmastats.xyz

https://statscodicefiscale.xyz/stats/

mjaznxbvakjjouxir0z.xyz

0f995b6f93c819a0.xyz


-----

74071141daaf3521.xyz

sharkedtestuk.xyz

y2znlm93bmvysuq0m3b.xyz

c2hhcmtlzdq5cg9qqkk.top

ndlwb2pcstlmsedgzgz.top

c2hhcmtlzdq3cg9qqkk.xyz

sharkedtest1.xyz

nddwb2pcstlmsedgzgz.top

c2hhcmtlzdq3cg9qqkk.info

## Appendix – Sharkbot versions

This is a list of all Sharkbot versions we have observed so far:

Version First seen Last seen Notes


1.18.0 November
2, 2021

1.26.0 December
3, 2021

1.27.0 November
10, 2021

1.31.0 November
16, 2021

1.37.0 November
15, 2021

1.38.1 November
15, 2021

1.39.11 November
18, 2021

1.40.0 December
3, 2021

1.41.0 November
21, 2021


January 3,
2022

December
20, 2021

November
18, 2021

March 15,
2022

only one
sample found

only one
sample found

November
21, 2021

only one
sample found

January 3,
2022


-----

1.42.1 November
21, 2021

1.42.4 November
21, 2021

1.42.5 November
21, 2021

1.42.6 November
22, 2021

1.43.0 November
25, 2021

1.43.1 November
25, 2021

1.43.3 November
23.2021

1.43.5 November
25, 2021

1.43.7 November
25, 2021

1.44.0 November
25, 2021

1.44.1 November
29, 2021

1.45.0 November
29, 2021

1.48.4 December
02, 2021

1.63.0 February 9,
2022

1.63.4 February
22, 2022

1.64.0 February
25, 2022

1.64.1 March 9,
2022


January 3,
2022

November
21, 2021

November
21.2021

November
22, 2021

November
25, 2021

November
25, 2021

November
25, 2021

only one
sample found

only one
sample found

only one
sample found

December 8,
2021

November
29, 2021

only one
sample found

only one
sample found

February 27,
2022

only one
sample found

March 11,
2022


Introduced accessibility service “task”

added switch sendNotifToAdmin to turn on/off
sending all notifications to CnC

APP_STOP_VIEW added

added autoReply and removeApp commands


-----

It is interesting to note that there was a long pause of 2 months between the first sightings of
versions 1.48.4 and 1.63.0:

Version 1.48.4 was first seen on December 4, 2021
Version 1.63.0 was first seen on February 9, 2022

The key features introduced in different versions are listed below in the form of a change log:

On November 21, 2021 (v.1.42.4) accessibility service tasks were added.
On November 25, 2021 (v.1.44.0) switch sendNotifToAdmin was added. This switch is
used for controlling sending device’s notifications to CnC.
On December 2, 2021 (v.1.48.4) command APP_STOP_VIEW was added.
On February 9, 2022 (v.1.63.0) new DGA algorithm was introduced.


-----