article featured image


SharkBot is a banking malware for Android devices that was discovered around the end of October 2021. One of the primary objectives of SharkBot is to start money transfers from hacked devices via the Automatic Transfer Systems (ATS) approach, which circumvents multi-factor authentication measures.

Identification and authentication systems are used to impose user identity verification and authentication, and they are often paired with behavioral detection techniques to identify suspect money transactions.

What Happened?

SharkBot financial malware has been found in the Google Play Store, the official Android software repository, and is masquerading as an antivirus with system cleaning capabilities, according to researchers.

The laced Android application that carries SharkBot


Despite the fact that the trojan software was not widely used, its appearance on the Google Play Store indicates that malware distributors may still get by Google’s automated safeguards.

Researchers at the NCC Group identified SharkBot on Google Play and provided a full technical study of the virus today.

The ATS features allow the malware to receive a list of events to be simulated, and them will be simulated in order to do the money transfers. Since this features can be used to simulate touches/clicks and button presses, it can be used to not only automatically transfer money but also install other malicious applications or components. This is the case of the SharkBot version that we found in the Google Play Store, which seems to be a reduced version of SharkBot with the minimum required features, such as ATS, to install a full version of the malware some time after the initial install.

Because of the fact of being distributed via the Google Play Store as a fake Antivirus, we found that they have to include the usage of infected devices in order to spread the malicious app. SharkBot achieves this by abusing the ‘Direct Reply‘ Android feature. This feature is used to automatically send reply notification with a message to download the fake Antivirus app. This spread strategy abusing the Direct Reply feature has been seen recently in another banking malware called Flubot, discovered by ThreatFabric.

What is interesting and different from the other families is that SharkBot likely uses ATS to also bypass multi-factor authentication mechanisms, including behavioral detection like bio-metrics, while at the same time it also includes more classic features to steal user’s credentials.


The virus, initially detected by Cleafy researchers in October 2021, has four major functions.

  1. Ability to perform classic Overlay Attacks against multiple applications to steal login credentials and credit card information
  2. Ability to intercept/hide SMS messages
  3. Enabling key-logging functionalities
  4. Ability to obtain full remote control of an Android device (via Accessibility Services)

As explained by BleepingComputer the malware is able to also receive commands from the C2 server to perform a variety of actions:

  • sending SMS to a specific number
  • changing the SMS manager
  • downloading a file from a specified URL
  • receiving an updated configuration file
  • uninstalling apps from the device
  • turning off battery optimization
  • displaying the phishing overlay
  • activating and deactivating antivirus software

To keep yourself safe from potentially harmful trojans such as SharkBot, never blindly trust any programs from the Google Play Store, and restrict the number of installed apps on your smartphone to a bare minimum.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *