SharkBot Malware – The Antivirus App That Takes Control of Your Phone


Share on facebook
Share on twitter
Share on linkedin

SharkBot financial malware has invaded the Google Play Store, masquerading as an antivirus with machine cleaning capabilities. 

Although the trojan app has not gained popularity, its existence in the Play Store suggests that threat actors can still evade Google’s automated defences. In the meanwhile, the app may still be accessible in Google Play. 

What does SharkBot do?

SharkBot’s newest version has four primary functions: 

  1. Injections: When SharkBot finds the legitimate banking app is active, it can steal credentials by displaying web content (WebView) with a fake login URL (phishing). 
  1. Keylogging: SharkBot can steal credentials by logging accessibility events (such as changes in text fields and button clicks) and forwarding these logs to the command-and-control server (C2) 
  1. SMS intercept: SharkBot can intercept and hide SMS communications. 
  1. Remote control/ATS: SharkBot can acquire complete remote control of an Android smartphone (via Accessibility Services). 
SharkBot Malware
The Android application that carries SharkBot. (BleepingComputer)

The virus can also accept commands from the C2 server to execute operations such as: 

  • Send an SMS to a specific number 
  • Alter the SMS manager 
  • Download a file from a given URL. 
  • Receive a new configuration file. 
  • Remove an app from the device. 
  • Turn off battery optimisation. 
  • Show a phishing overlay 
  • Activate or deactivate ATS 
  • Force certain apps to close (such as an antivirus application)


The samples indicated 22 distinct targets, including multinational banks from the United Kingdom and Italy, as well as five different cryptocurrency businesses. Infections have been discovered so far in the United Kingdom, Italy, and the United States.  

Because the software appears to be in the early stages of development, the number of targets is expected to rise with time. 

How can you stay safe? 

  • Install apps only from the Google Play Store, and before you do so, look at how many reviews the app has. 
  • Pay attention to the permissions requested during installation and do not allow any rights that appear to be superfluous for the app’s basic operation. 
  • Keep a watch on your device’s battery consumption; if it runs out of juice quickly, it’s a likely indicator of malware infection. 
  • Keep a close eye on network traffic volumes for any spikes, which might indicate the presence of malicious activities running in the background. 
Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.