SharkBot Banking Trojan

SharkBot: Advanced Android Banking Trojan with Automatic Money Transfer Capabilities

SharkBot is a modern Android banking Trojan first discovered in late 2021, designed to steal login credentials and perform Automated Transfer System (ATS) attacks within mobile banking apps. It abuses Android’s accessibility services to navigate apps, fill in forms, and complete unauthorized transactions without user input. SharkBot is constantly updated and distributed via fake security apps and utility tools, often sneaking into the Google Play Store before detection.

Introduction to SharkBot

Unlike older Android malware that passively steals information, SharkBot actively interacts with the device by using overlay attacks and ATS modules to manipulate banking sessions in real time. Its targets are European and U.S. financial institutions, and it’s capable of bypassing multi-factor authentication by intercepting SMS and notification data. As mobile banking continues to grow, SharkBot represents a significant evolution in Android-based financial threats.

---

1. How SharkBot Works

Infection Mechanism:
SharkBot spreads through:

• Malicious apps disguised as antivirus, cleaners, or PDF viewers
• Fake websites and third-party app stores
• On occasion, apps containing SharkBot have bypassed Play Store screening
• Users are prompted to grant accessibility permissions, often under false pretenses

Payload Execution:
Once installed with the required permissions, SharkBot:

• Initiates overlay attacks that mimic legitimate banking app login screens
• Steals credentials, PINs, and session tokens
• Uses accessibility services to navigate apps, read inputs, and perform transactions
• Intercepts SMS and push notifications to bypass OTP-based 2FA
• Can uninstall itself remotely or update on command to evade detection

---

2. History and Notable Campaigns

Origin and Discovery:
SharkBot was first publicly reported in November 2021 by Cleafy researchers. It was quickly noted for its use of ATS techniques, which allowed it to perform transactions on behalf of users without manual input.

Notable Campaigns:

• In early 2022, SharkBot apps were found on the Google Play Store disguised as file managers and security apps
• In 2023, newer variants expanded geographic targeting to include UK, Spain, Germany, and the U.S.
• Distributed via smishing (SMS phishing) and malvertising
• Some campaigns used dropper apps that downloaded SharkBot after initial installation to evade Play Store scans

---

3. Targets and Impact

Targeted Victims and Sectors:

• Individual Android users in the U.S., U.K., Italy, Spain, Germany, and beyond
• Customers of mobile banking and crypto apps
• Victims downloading apps from unverified sources or malicious links

Consequences:

• Theft of banking credentials and account access
• Unauthorized wire transfers, sometimes without user awareness
• Bypassed 2FA, including OTP and push notifications
• Financial loss, identity theft, and fraud

---

4. Technical Details

Payload Capabilities:

• Overlay attacks using fake login screens
• Accessibility abuse to automate UI navigation
• Keylogging and screen content harvesting
• SMS interception and notification snooping
• Remote update and uninstall via C2 commands
• Uses ATS framework to simulate taps and input for transactions

Evasion Techniques:

• Apps appear legitimate and functional, lowering suspicion
• Payloads often delivered post-installation via update requests
• Uses encrypted communication with command-and-control servers
• Can self-delete after theft or switch C2 infrastructure dynamically
• Often uses packers and obfuscation to evade static analysis

---

5. Preventing SharkBot Infections

Best Practices:

• Only install apps from the official Google Play Store
• Avoid granting accessibility permissions to apps you don’t fully trust
• Monitor app behavior after installation — if it requests strange permissions, uninstall it
• Use Google Play Protect and keep the Android OS up to date
• Educate users on smishing and fake app warnings

Recommended Security Tools:

• Mobile antivirus with anti-trojan detection (e.g., Malwarebytes, Bitdefender, Kaspersky Mobile)
• Google Play Protect with real-time scanning enabled
• Enterprise Mobile Device Management (MDM) platforms for large deployments
• Security apps that detect overlay and accessibility abuse

---

6. Detecting and Removing SharkBot

Indicators of Compromise (IoCs):

• Unexpected requests for accessibility or notification listener permissions
• Battery or data usage spikes after installing unknown apps
• Duplicate login screens from banking apps
• SMS logs showing forwarded OTPs or banking messages
• Presence of suspicious APKs with obfuscated names

Removal Steps:

1. Revoke accessibility and administrator privileges
2. Uninstall the suspicious app
3. Use a mobile malware scanner to detect and remove any residual components
4. Change banking credentials and 2FA settings from a clean device
5. Report fraud to your bank immediately if any unauthorized activity occurred

Professional Help:
Victims of successful financial theft via SharkBot should contact their bank’s fraud department and may need to file a police report depending on jurisdiction. Enterprises should involve mobile security teams and audit mobile device compliance.

---

7. Response to a SharkBot Infection

Immediate Steps:

• Disconnect mobile banking apps from the infected device
• Revoke permissions and remove any suspicious apps
• Reset all associated passwords and enable stronger 2FA
• Notify your bank or financial institution
• Avoid restoring device backups that may include infected apps

---

8. Legal and Ethical Implications

Legal Considerations:
SharkBot campaigns constitute financial fraud and data theft, prosecutable under cybercrime laws worldwide. App developers who knowingly distribute droppers may be liable under malware distribution and digital fraud statutes.

Ethical Considerations:
SharkBot underscores how mobile accessibility features—meant to improve usability—can be turned into tools of exploitation. It highlights the need for stronger app vetting and user education, particularly around permissions and financial data.

---

9. Resources and References

• Cleafy: SharkBot Banking Trojan Report
• ThreatFabric: Mobile Threat Intelligence Updates
• Google TAG and Play Store security blogs
• MITRE ATT&CK for Mobile:
  • T1636.004 (Protected User Data: SMS Messages), old object is [T1412] Capture SMS Messages
  • T1421 (System Network Connections Discovery)
  • T1406 (Obfuscated Files or Information)
  • T1429 (Audio Capture)

---

10. FAQs about SharkBot

Q: What is SharkBot?
An Android banking Trojan that uses overlays and accessibility abuse to steal credentials and perform unauthorized money transfers.

Q: How does it spread?
Via malicious apps, often disguised as utilities or security tools, distributed through third-party stores or fake websites.

Q: Can it bypass 2FA?
Yes — it can intercept SMS, read notifications, and use accessibility features to bypass OTP-based authentication.

Q: Can it be removed?
Yes — if caught early. Removal includes revoking permissions, uninstalling the app, and scanning with mobile security tools.

---

11. Conclusion

SharkBot represents the new generation of Android banking malware, combining technical sophistication with aggressive tactics like automated transfers and permission abuse. Its ability to evade detection and interact with banking apps in real time makes it a high-risk threat. Staying protected requires a mix of technical controls, user awareness, and secure app practices.

 

 

« Back to the Virus Information Library

« Back to the Security Center