Cyber Security News

SharkBot Trojan Spreading via Fake Antivirus Apps on Google Play

Security analysts at Check Point Research (CPR) team have recently revealed that there have been a number of malicious Android apps masquerading as antivirus solutions that have been used to spread the SharkBot banking Trojan from the Google Play Store.

This banking trojan was distributed using six malicious Android apps masquerading as antivirus solutions in the Google Play Store. 

While all these malicious applications came from the following developers’ accounts:-

  • Zbynek Adamcik
  • Adelmio Pagnotto
  • Bingo Like Inc

The threat actors use Sharkbot to steal and manipulate bank details and login credentials since it’s an information stealer. The malware uses evasion techniques and geofencing features in order to avoid infecting devices from any of these countries:-

  • China
  • India
  • Romania
  • Russia
  • Ukraine
  • Belarus

Capabilities of SharkBot

In October 2021, Cleafy was the first company to notice the malware, and it’s one of the most powerful features, the ability to transfer money via ATS (Automatic Transfer Systems).

Here the threat actors exploit the compromised devices to execute this task by simulating the following things:-

  • Touches
  • Clicks
  • Button presses

Here below we have mentioned the primary functions of SharkBot:-

  • Injections
  • ATS
  • Overlay attack
  • Keylogging
  • SMS intercept
  • Remote control

It is believed that more than 15000 copies of the rogue apps were installed before their removal, with the majority of victims either living in:- 

  • Italy
  • The United Kingdom

However, after the reporting, all the malicious applications were removed from the Play store by Google permanently. 

Apart from this, the security analysts have observed 27 versions of Sharkbot, and in SharkBot the threat actors use another stealthy and sophisticated technique that is rarely used in Android malware:-

Domain Generation Algorithm (DGA)

Affected apps

Several applications on Google Play have been masked as Sharkbot droppers, and here they are mentioned below:-

  • com.abbondioendrizzi.antivirus[.]supercleaner
  • com.pagnotto28.sellsourcecode[.]alpha
  • com.pagnotto28.sellsourcecode[.]supercleaner
  • com.antivirus.centersecurity[.]freeforall

Commands Used

Here below we have mentioned all the commands used by SharkBot:-

  • smsSend
  • updateLib
  • updateSQL
  • updateConfig
  • uninstallApp
  • collectContacts
  • changeSmsAdmin
  • getDoze
  • sendInject
  • iWantA11
  • updateTimeKnock
  • sendPush
  • Swipe
  • autoReply
  • removeApp
  • serviceSMS
  • getNotify
  • localATS
  • sendSMS
  • downloadFile
  • stopAll

SharkBot can present you with fake overlay windows of fake banking apps using Android’s Accessibility Services permissions that allow it to bypass certain security measures.

It is possible for SharkBot to create auto-replies to notifications from popular apps such as Facebook Messenger and WhatsApp to make the antivirus app share a phishing site to attract victims.

That’s why the security experts strongly recommended users not download any applications from unknown sources. Not only that even they have also urged users to stay alert and cautious while downloading any app from a reputable store.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

Defend Ransomware Attacks With Top Effective Proactive Measures in 2024

We're currently living in an age where digital threats loom large. Among these, ransomware has…

43 mins ago

GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability

Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…

17 hours ago

Cybercriminals are Showing Hesitation to Utilize AI When Executing Cyber Attacks

Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…

18 hours ago

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…

18 hours ago

Slovenia’s Biggest Power Provider has Suffered a Cyberattack

One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…

19 hours ago

Genesis Market Technique: Hackers Exploited Node.js and EV Certificates

In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…

21 hours ago