SharkBot malware lurks as Android antivirus in Google Play


The SharkBot banking malware has infiltrated the Google Play Store, the official Android app repository, posing as an antivirus with system cleaning capabilities.

Although the Trojan app is far from popular, its presence on Play Store shows that malware distributors can still bypass Google’s automatic defenses. The app is still present in the Google store at the time of writing.

The laced Android app that carries SharkBot
The laced Android app that carries SharkBot
Publisher contact details on the Play Store
Publisher contact details on the Play Store

SharkBot was discovered on Google Play by researchers from the NCC Group, who today published a detailed technical analysis of the malware.

What can SharkBot do?

The malware was first discovered by Cleafy in October 2021. Its most prominent feature, which distinguished it from other banking Trojans, was the transfer of money through automatic transfer systems (ATS). This was achieved by simulating touches, clicks, and button presses on compromised devices.

NCC reports that the money transfer function is still available in the latest version but only used in certain cases of advanced attacks.

The four main functions of the latest version of SharkBot are:

  • Injections (overlay attack): SharkBot can steal credentials by displaying web content (WebView) with fake login website (phishing) as soon as it detects opening the official banking app
  • Keylogging: Sharkbot can steal credentials by logging accessibility events (related to text field changes and button clicks) and sending those logs to command and control (C2) server
  • Text message intercept: Sharkbot can intercept/hide SMS messages.
  • Remote control/ATS: Sharkbot has the ability to gain full remote control of an Android device (via Accessibility Services).

To perform the above, SharkBot abuses the Accessibility permission on Android and then grants itself additional permissions as needed.

In this way, SharkBot can detect when the user opens a banking application, performs the corresponding web injections and steals the user’s credentials.

The malware can also receive commands from the C2 server to perform various actions such as:

  • Send an SMS to a number
  • Change SMS handler
  • Download a file from a specified URL
  • Receive an updated configuration file
  • Uninstall an app from the device
  • Disable battery optimization
  • Show anti-phishing overlay
  • Activate or stop the ATS
  • Close a specific application (like an AV tool) when the user tries to open it

Reply to notifications

One of the notable differences between SharkBot and other Android banking Trojans is the use of relatively new components that take advantage of the “Direct Reply” feature for notifications.

SharkBot can now intercept new notifications and respond to them with messages coming directly from C2.

The code for the auto-reply function
The code for the auto-reply function (NCC Group)

As noted in the NCC report, SharkBot uses this feature to drop feature-rich payloads onto the compromised device by responding with a shortened URL.

The initial SharkBot dropper app contains a light version of the actual malware to reduce the risk of detection and rejection from the App Store.

Thanks to the “auto-response” function, a full version of SharkBot with ATS is extracted directly from the C2 and automatically installed on the device.

Decrypted C2 response commanding payload download
Decrypted C2 response commanding payload download (NCC Group)

The C2 relies on a DGA (Domain Generation Algorithm) system which makes it more difficult to detect and block domains issuing SharkBot commands.

To protect yourself from dangerous Trojans like SharkBot, never blindly trust apps from the Play Store and try to keep the apps installed on your device to a minimum.

If you are looking for an Android antivirus, there are several trusted vendors that offer their tools for free.


Comments are closed.