{
	"id": "1a14813d-83ba-4957-913f-699378220bb9",
	"created_at": "2026-04-06T01:30:09.922821Z",
	"updated_at": "2026-04-10T03:20:38.536026Z",
	"deleted_at": null,
	"sha1_hash": "f3c27d88db8e801d47c3642ab1e63404f6d8b7cd",
	"title": "SharkBot: a new generation of Android Trojans is targeting banks in Europe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5216332,
	"plain_text": "SharkBot: a new generation of Android Trojans is targeting banks\r\nin Europe\r\nBy Federico Valentini, Francesco Iubatti\r\nArchived: 2026-04-06 00:32:23 UTC\r\nKey Points\r\nAt the end of October 2021, a new Android banking trojan was discovered and analyzed by the Cleafy TIR\r\nteam. Since we didn't find references to any known families, we decided to dub this new family SharkBot.\r\nThe main goal of SharkBot is to initiate money transfers from the compromised devices via Automatic\r\nTransfer Systems (ATS) technique bypassing multi-factor authentication mechanisms (e.g., SCA). These\r\nmechanisms are used to enforce users' identity verification and authentication, they are usually combined\r\nwith behavioural detection techniques to identify suspicious money transfers.\r\nWe identified a botnet which is currently targeting the UK, Italy, and the US, including banking\r\napplications and cryptocurrency exchanges. Given its modularity architecture we don't exclude the\r\nexistence of botnets with other configurations and targets.\r\nOnce SharkBot is successfully installed in the victim's device, attackers can obtain sensitive banking\r\ninformation through the abuse of Accessibility Services, such as credentials, personal information, current\r\nbalance, etc., but also to perform gestures on the infected device.\r\nAt the time of writing, SharkBot appears to have a very low detection rate by antivirus solutions since\r\nmultiple anti-analysis techniques have been implemented: string obfuscation routine, emulator detection\r\nand a domain generation algorithm (DGA) for its network communication in addition to the fact that the\r\nmalware has been written from scratch.\r\nSharkBot implements Overlay attacks to steal login credentials and credit card information and it also\r\nhas capabilities to intercept legitimate banking communications sent through SMS.\r\nAt the time of writing, multiple indicators suggest that SharkBot could be at its early stages of\r\ndevelopment.\r\nExecutive Summary\r\nAt the end of October 2021, a new Android banking trojan appeared on Cleafy's telemetries. Since the lack of\r\ninformation and the absence of a proper nomenclature of this malware family, we decided to dub it SharkBot to\r\nbetter track this family inside our internal Threat Intelligence taxonomy.\r\nSharkBot belongs to a “new” generation of mobile malware, as it is able to perform ATS attacks inside the\r\ninfected device. This technique has been already seen recently from other banking trojans, such as Gustuff. ATS\r\n(Automatic Transfer System) is an advanced attack technique (fairly new on Android) which enables attackers to\r\nauto-fill fields in legitimate mobile banking apps and initiate money transfers from the compromised devices.\r\nContrary to TeaBot and Oscorp/UBEL where a live operator is required to insert and authorize a money transfer,\r\nwith ATS technique Threat Actors can scale up their operations with minimum user intervention. We assume that\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 1 of 12\n\nSharkBot is trying to bypass behavioural detection countermeasures (e.g.,biometrics) put in place by multiple\r\nbanks and financial services with the abuse of Android Accessibility Services, also bypassing the need of a “new\r\ndevice enrollment”.\r\nFigure 1 – Example of how SharkBot perform an ATS attack\r\nMoreover, SharkBot appears to have all the main features of nowadays Android banking trojan achieved by\r\nabusing Accessibility Services[1]such as:\r\nAbility to perform classic Overlay Attacks against multiple applications to steal login credentials and credit\r\ncard information\r\nAbility to intercept/hide SMS messages\r\nEnabling key-logging functionalities\r\nAbility to obtain full remote control of an Android device (via Accessibility Services)\r\nAt the time of writing, we didn’t notice any samples on Google's official marketplace. The malicious app is\r\ninstalled on the users' devices using both the side-loading technique and social engineering schemes.\r\nThanks to an in-depth analysis of several samples related to SharkBot, we collected 22 different targets including\r\ninternational banks from UK and Italy and 5 different cryptocurrency services, as shown in the following\r\nFigure 2:\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 2 of 12\n\nFigure 2 – Geographical distribution of banks currently targeted by SharkBot\r\n[1] https://developer.android.com/reference/android/accessibilityservice/AccessibilityService\r\nTechnical Analysis – Overview\r\nSharkBot, is a new generation Android banking trojan, discovered by Cleafy Threat Intelligence team at the end of\r\nOctober 2021. The name “SharkBot” comes from multiple strings found in its binaries, which contain the word\r\n“sharked”.\r\nSharkBot hides itself with common names and icons posing as a legitimate application to the victims, as shown in\r\nFigure 3.\r\nFigure 3 – Main names/icons used by SharkBot\r\nHowever, during its installation, SharkBot immediately tries to enable Accessibility Services that keep being\r\nrequested persistently with fake pop-ups until the victim accepts.\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 3 of 12\n\nFigure 4 – Installation phases of SharkBot\r\nOnce the malicious app has been installed, no icon is displayed on the device and SharkBot is able to get all the\r\npermissions needed (declared inside the AndroidManifest file) thanks to the accessibility services enabled. This is\r\ndone by clicking instantly on the popup shown to the user.\r\nFigure 5 – Android Permissions of SharkBot\r\nWith the permissions shown in Figure 5, SharkBot is able to read/send text messages, perform overlay attacks and,\r\nwith the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission, it is able to bypass Android's doze\r\ncomponent and stay connected to the C2 servers to continue its malicious behavior.\r\nAt the time of writing, Sharkbot seems to be still under development as the very first samples tracked down at the\r\nend of October use:\r\na demo version of the Allatori Java Obfuscation [2] (as shown in Figure 6).\r\nthe word “example” in the package name.\r\nthe words “test1” and “testuk” inside the C2 used during the first exchange of information with malware.\r\nsome functionalities are not yet available.\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 4 of 12\n\nFigure 6 – Use of a demo version of the Allatori Java Obfuscation\r\nSo far, SharkBot has a very low detection rate by antivirus solutions (only 3/62), as shown by Figure 7. This\r\nmeans that the malware has been written from scratch, in addition to the fact that it uses an external module,\r\ndownloaded from the C2, containing the ATS core functionalities and anti-detections technique used to slow down\r\nthe static and dynamic analysis.\r\nAnalysing the underground hacking forums, we didn’t find any references to this malware. This makes us think\r\nthat SharkBot is still a private botnet.\r\nFigure 7 – Detection of SharkBot by antivirus solutions\r\nFigure 8 – Some information about SharkBot botnet\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 5 of 12\n\n[2] http://www.allatori.com/ (*Allatori is a legitimate software)\r\nEvasion techniques\r\nSharkBot uses different anti-analysis and detection techniques, in particular:\r\nStrings obfuscation, to slow down the static analysis and “hide” all the commands and important\r\ninformation used by the malware, as shown in Figure 9.\r\nFigure 9 – Example of strings obfuscation\r\nAnti-Emulator. When the malicious application is installed on the device, it checks if the device is an\r\nemulator or a real phone. This technique is usually used to bypass sandboxes or common emulators used\r\nby researchers during the dynamic analysis.\r\nExternal ATS module. Once installed, the malware downloads an additional module from the C2. The\r\nexternal module is a “.jar” file that contains all the functionality used to perform the ATS attacks. We\r\nanalyze this module in the paragraph “SharkBot - ATS (Automatic Transfer System) module”.\r\nHide the icon app. Once installed, SharkBot hides the icon of the app from the device screen.\r\nAnti-delete. Like other malware, SharkBot uses the Accessibility Services to avoid that the user uninstalls\r\nthe malicious application from the settings options.\r\nEncrypted communication. All the communication between the malware and C2 are encrypted and\r\nencoded with Base64. In addition to this, SharkBot uses a Domain Generator Algorithm (DGA).\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 6 of 12\n\nFigure 10 – SharkBot DGA method\r\nSharkBot “classical” features\r\nAlthough SharkBot has an ATS module, it also has some common features present in other banking trojan, in\r\nparticular:\r\nThe capability to read and hide SMS received from the infected user (sending them to the threat actor C2\r\nserver). This feature is mostly used by threat actors to get the 2FA sent by the bank via text messages.\r\nThe “now famous” overlay attack used to steal login credentials and credit card data. This feature is used\r\nby SharkBot to obtain the login credentials of the targeted banks/crypto app, to perform the ATS attack to\r\nthe next step.\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 7 of 12\n\nFigure 11 – Example of overlay attack performed by SharkBot\r\nSharkBot – ATS (Automatic Transfer System) module\r\nAndroid’s Accessibility Service has been historically abused by multiple banking trojans (e.g., TeaBot,\r\nOscorp/UBEL) for conducting multiple malicious actions in the infected device. SharkBot, similar to Gustuff, is\r\nable to abuse Accessibility Service enabling ATS attacks inside the infected device.\r\nATS (Automatic Transfer System) attacks enable TA to auto-fill fields in legitimate mobile banking apps and\r\ninitiate money transfers from the compromised devices to a money mule network controlled by TA or other\r\naffiliates. This makes it possible to scale up their operations with minimum user intervention.\r\nFor a bank perspective, mobile ATS attacks are very hard to identify and handle since typically:\r\nThey don't require a “new device enrollment” phase which drastically reduces their footprint.\r\nThey are able to bypass any 2FA mechanism used by banking applications (e.g. SMS-based, push-based,\r\netc.).\r\nAs all the actions are performed by the trusted user, ATS attacks are able to bypass Behavioral detection\r\nmechanisms, including Behavioral biometrics.\r\nIllegitimate wire transfers are inserted and authorized on the victim device itself, which typically is\r\nconsidered “trusted” by banks.\r\nOnce a victim has granted accessibility permissions, all the contents shown in the device screen can be intercepted\r\nand manipulated by SharkBot. Those capabilities are gained through Android AccessibilityEvents which are\r\nevents that are sent by Android OS when something notable happens in the user interface. In fact, the main\r\npurpose of an accessibility event is to communicate changes in the UI to an AccessibilityService.\r\nSharkBot appears to have interest only on a specific subset of accessibility events, which are the following:\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 8 of 12\n\nFigure 12 – AccessibilityEvent types intercepted by SharkBot\r\nWe can group all the accessibility events intercepted by SharkBot as follows:\r\nTYPE_VIEW_CLICKED\r\nTYPE_VIEW_SELECTED\r\nTYPE_VIEW_TEXT_CHANGE\r\nTYPE_VIEW_TEXT_SELECTION_CHANGE\r\nfired when a button is clicked, an item is selected or\r\nwhen text changes are detected.\r\nTYPE_WINDOW_STATE_CHANGED\r\nTYPE_WINDOW_CONTENT_CHANGED\r\nCONTENT_CHANGE_TYPE_TEXT\r\nfired when a visually distinct section of the user\r\ninterface is detected, for example when a new Activity\r\nhas been launch (e.g navigating to a different page of\r\nthe same application, or switching applications).\r\nTYPE_NOTIFICATION_STATE_CHANGED\r\nTYPE_ANNOUNCEMENT\r\nfired when a new notification appears on the device or\r\nwhen an application makes announcements.\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 9 of 12\n\nSharkBot has already implemented various functions which are been used for parsing all the data extracted from\r\nthe UI, save them into a JSON format and exfiltrate them to the designed C2 server:\r\nFigure 13 – Retrieve and save data extracted from the intercepted Accessibility events\r\nTA can also passively logs all the exfiltrated information from each infected device and enriching them with\r\ndetailed information useful for a further ATS attack, such as account balance(s), enabled 2FA/SCA/MFA\r\nmechanisms, cash-out availability (e.g. SEPA, Instant payments), etc.\r\nOnce the ATS attack is remotely requested by TA, SharkBot will start interacting with the infected device and\r\nauto-fill fields in legitimate mobile banking apps and initiate money transfers. During this phase TA can also\r\ninteract with the targeted application simulating gestures and clicks, if required.\r\nFigure 14 – Auto-fill fields in legitimate mobile banking app during ATS attack\r\nConclusion\r\nWith the discover of SharkBot we have shown new evidence about how mobile malwares are quickly finding\r\nnew ways to perform fraud, trying to bypass behavioural detection countermeasures put in place by multiple banks\r\nand financial services during the last years.\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 10 of 12\n\nLike the evolution of workstation malwares occurred in the past years, also in the mobile field we are seeing a\r\nrapid evolution towards more sophisticated patterns like ATS attacks.\r\nAppendix 1: SharkBot commands\r\nThe following table summarize the list of all the commands found in SharkBot during the technical analysis:\r\nCommand Description\r\nupdateLib Not implemented\r\nupdateSQL Update configuration data stored on a local database\r\nupdateConfig Update the configuration file, containing the C2 url and the targets\r\nuninstallApp Delete an app installed on the infected device\r\nchangeSmsAdmin Change the default SMS app manager\r\nsendInject Receive Overlay attacks payloads from C2\r\nupdateTimeKnock Update timestamp bot\r\nsendPush Not implemented\r\nunlockPhone Set a specific variable during ATS attack\r\nats Enable ATS attacks\r\noverlay Enable Overlay attacks\r\nenableKeyLogger Get keylogging steps during ATS attack\r\nunlockPhone1 Check if the device has a PIN, pattern or password setted up.\r\noverlay2 Enable Overlay attacks\r\nopenPackage Open an arbitrary Android application\r\ndoze Bypass Android “doze” feature for enabling network communication in the background\r\nstopAll Reset ATS routine\r\nAppendix 2: IOCs\r\nApp Name Media Player HD\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 11 of 12\n\nPackage Name com.pycdvgljmfgh3hgp8jo72giu.omflsx1q2g\r\nMD5 f7dfd4eb1b1c6ba338d56761b3975618\r\nC2\r\nsharkedtest1[.]xyz\r\nsharkedtestuk[.]xyz\r\nSource: https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nhttps://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe"
	],
	"report_names": [
		"sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe"
	],
	"threat_actors": [],
	"ts_created_at": 1775439009,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3c27d88db8e801d47c3642ab1e63404f6d8b7cd.pdf",
		"text": "https://archive.orkl.eu/f3c27d88db8e801d47c3642ab1e63404f6d8b7cd.txt",
		"img": "https://archive.orkl.eu/f3c27d88db8e801d47c3642ab1e63404f6d8b7cd.jpg"
	}
}