article featured image


Malicious applications masquerading as antivirus solutions on the Google Play Store have been identified by security experts. These dangerous apps contain the SharkBot trojan, whose targets are Android devices. SharkBot stands for an info-stealer whose purpose is credentials and banking info theft.

How the Sharkbot Campaign Unfolds

Researchers from Checkpoint have published a report on the discovered campaign, explaining how SharkBot works. Once installed, the trojan leverages DGA to trick victims into entering their credentials in little windows that look to be standard input forms.

It takes advantage of Android’s Accessibility Service to display bogus overlay windows over authentic banking apps. Besides, it can also auto-reply to Facebook Messenger and WhatsApp messages in order to promote links to bogus antivirus programs.

The trojan also uses a geofencing function to prevent targeting devices in India, China, Russia, Ukraine, Belarus, and Romania and checks if it is running in a sandbox to avoid being examined.

Sharkbot steals credentials and banking information. The malware implements a geofencing feature and evasion techniques that makes it stand out in the field. It also makes use of Domain Generation Algorithm (DGA), an aspect rarely used in the world of Android malware. Sharkbot lures victims to enter their credentials in windows that mimic benign credential input forms. When the user enters credentials in these windows, the compromised data is sent to a malicious server. Sharkbot has a handful of tricks up its sleeve. It doesn’t target every potential victim it encounters, but only select ones, using the geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus. Evasion techniques are also a part of Sharkbot’s arsenal. If the malware detects it is running in a sandbox, it stops the execution and quits.


SharkBot has been discovered in six separate apps, according to researchers. Three developer accounts, Adelmio Pagnotto, Bingo Like, and Zbynek Adamcik, were responsible for these programs.

Two of these accounts were active in the fall of 2021, according to the accounts’ history. Except in unauthorized stores, certain apps linked to these accounts have been uninstalled.

Before Google deleted these fraudulent apps from the Play Store, they had been downloaded over 15,000 times. The majority of the victims were discovered in Italy and the United Kingdom.

It seems that every day, threat actors are discovered infiltrating the Google Play Store and other similar sites to disseminate their malicious software, in this case, the SharkBot banking trojan. Some tips to remain protected against these online threats would be to only download apps from trusted/verified publishers, and report any questionable apps to the app store.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *