Malware infiltrating Android devices to steal bank login details is nothing new, but the threat around it is only growing intense with the new variant of SharkBot and introduction of a new trojan, dubbed Zanubis.

The Sharkbot campaign

SharkBot malware's improved version has infiltrated the Google Play Store via two malicious apps that have been downloaded over 60,000 times by users globally.
  • The trojan targets Android users' banking logins via infected apps.
  • However, SharkBot is added as an update and is executed only after the user installs and launches the dropper apps.
  • Attack campaigns using the malware have been observed in Europe - Spain, Austria, Germany, Poland, Austria, and the U.S.
  • Last month, researchers disclosed about a new upgrade with an added feature of a cookie logger that could steal cookies from bank account logins.

Moreover, Cyble researchers came across a Twitter post, mentioning another Android banking trojan, Zanubis, targeting users in Peru.

The Zanubis’ campaign

The new android variant of Zanubis was found targeting over 40 applications from Peru.
  • The Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.
  • The malware further sends the data to the server to identify the targeted application with the aim of carrying out an overlay attack.

The app still appears to be under development.

The rise of Android-based banking trojans

The use of SharkBot and Zanubis as Android banking trojans by threat actors follows the discovery of other banking trojans uncovered in the recent past.
  • A new spear phishing email campaign designed to deliver the Grandoreiro banking trojan was spotted a few weeks back to target organizations in Spain and Mexico.
  • Last month, SOVA, an Android banking trojan, evolved with new features to target over 200 banking, digital wallet, and cryptocurrency exchange applications.


With improved malware versions, threat actors continue to throw new challenges at cybersecurity community as well as to the users. To keep malware infections at bay, users must be mindful before giving unnecessary permissions to apps. Keeping devices and applications updated to its latest versions is a critical step toward securing devices from malicious infections.
Cyware Publisher