SharkBot, a sophisticated banking malware, has been once again spotted on Google Play Store. The banking malware, first detected in November 2021, is disguised as an antivirus app with system cleaning capabilities.

What's new?

  • The latest version of the SharkBot malware is using Automatic Transfer Systems (ATS) to transfer money by abusing the Accessibility permission on devices and grants itself additional required permissions.
  • It can, therefore, know whenever a user opens a banking app to launch matching web injections and steal credentials.

Key functionalities

The latest variant has four primary functions: injections, keylogging, SMS intercepting, and remote control/ATS.
  • Injections help the malware steal credentials by WebView using a fake login website (phishing). 
  • Using keylogging capabilities, it steals credentials by logging accessibility events and sending logs to the C2 server.
  • Further, it intercepts or hides SMS messages while also obtaining full remote control of an Android device via Accessibility Services.

Auto-reply feature

SharkBot uses relatively new component features to utilize the Direct reply feature for notifications.
  • This feature is used to drop feature-rich payloads onto the infected device by replying with a shortened URL. The initial dropper app has a light version of the malware to avoid detection and rejections by app stores.
  • Using the auto-reply feature, the entire SharkBot version featuring ATS is fetched directly from the C2 and installed automatically. Moreover, the C2 relies on a DGA that makes it harder to detect/block the command-issuing domains.


SharkBot continues to grow as a potential threat. Smartphone users are requested to be careful with the type of apps they download from various app stores and perform additional checks, if not sure. Further, a user should try to use minimum apps on their devices and avoid unnecessary apps.
Cyware Publisher