SharkBot¶
SharkBot is an Android banking trojan combining ATS (Automated Transfer System) fraud with a Domain Generation Algorithm (DGA) for C2 resilience. Discovered in October 2021, it was built from scratch with no code overlap with existing families. Its on-device fraud capabilities, cookie-stealing mechanism, and persistent Google Play presence made it a significant player in the EU banking trojan landscape. The DGA implementation, unusual for Android malware at the time, set it apart from contemporaries.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | October 2021 |
| Status | Active (2025, v1.63+) |
| Type | Banking trojan, ATS fraud |
| Aliases | None widely used |
| Attribution | Unknown, financially motivated |
| Distribution | Google Play Store droppers, direct download |
Origin and Lineage¶
Cleafy's Threat Intelligence team identified SharkBot at the end of October 2021 during monitoring of European banking fraud. Analysis confirmed it shared no codebase with Anatsa/TeaBot, Cerberus/Alien, Oscorp, FluBot, or any other known Android banking family.
NCC Group and Fox-IT published joint analysis in March 2022, providing the first deep technical breakdown including DGA internals and C2 protocol details. Fox-IT's blog covered the same analysis with additional distribution context.
The malware has been under continuous development, with major version bumps in 2022 (v2, new DGA) and 2025 (v1.63, improved stealth).
Distribution¶
SharkBot's operators use Google Play dropper apps disguised as antivirus tools, file managers, and cleaner utilities.
| Date | Dropper Disguise | Installs | Source |
|---|---|---|---|
| Early 2022 | Antivirus apps | 15,000+ | NCC Group/Fox-IT |
| April 2022 | Various utility apps (7 apps) | Thousands | The Hacker News |
| September 2022 | Antivirus, cleaner apps | Thousands | Fox-IT |
| November 2022 | File manager apps | Thousands | The Hacker News |
The dropper approach evolved over time. Early versions required REQUEST_INSTALL_PACKAGES and used accessibility services to install the payload. Later versions adopted a direct-download approach: the dropper opens a fake Play Store page prompting the user to "update" the app, which is actually the SharkBot payload. This avoided the need for accessibility permissions at the dropper stage.
Capabilities¶
Version Evolution¶
| Version | Date | Key Changes |
|---|---|---|
| v1.x | Oct 2021 | ATS, overlay injection, SMS interception, keylogging, DGA (Base64) |
| v2.x | May 2022 | Code refactor, new DGA (MD5), updated C2 protocol |
| v2.25 | Aug 2022 | Cookie stealing added, auto-reply SMS removed |
| v1.63 | Feb 2025 | Improved stealth and evasion |
Core Features¶
| Capability | Implementation |
|---|---|
| ATS fraud | Accessibility service simulates touches/clicks to perform transfers |
| Overlay injection | WebView-based phishing triggered when target banking app opens |
| Keylogging | Accessibility event monitoring captures all text input |
| SMS interception | Reads and hides incoming SMS for 2FA bypass |
| Cookie stealing | Snatches session cookies during bank login via logsCookie command |
| Push notification abuse | Can auto-reply to push notifications |
| DGA | Fallback C2 resolution when hardcoded domains are taken down |
Cookie Stealing¶
Fox-IT documented the cookie-stealing feature introduced in v2.25 (August 2022). When the victim logs into their bank account, SharkBot intercepts the valid session cookie using the logsCookie command and exfiltrates it to C2. These cookies are valuable for account takeover because they contain session tokens and device fingerprinting parameters that bypass anti-fraud checks on subsequent logins.
ATS Implementation¶
The ATS engine receives a list of events from C2 to simulate on the device in sequence. These events include:
- Touch/click simulation at specific coordinates
- Button press simulation
- Text input into fields
- App navigation steps
This allows the operator to script full transfer workflows that execute autonomously on the victim's device.
Technical Details¶
DGA Algorithm¶
SharkBot's DGA is its most distinctive technical feature. Detailed analysis of both DGA versions documents the evolution:
Version 1 (Base64 DGA):
- Input:
{week_of_year}{year}{seed_string} - Seed string:
pojBI9LHGFdfgegjjsJ99hvVGHVOjhksdf - Encoding: Base64
- Output: first 19 characters of the encoded string
- TLD: appended from hardcoded list
Version 2 (MD5 DGA):
- Input: same date/seed combination
- Encoding: MD5 hash
- Output: first 19 characters of the hex digest
- Improvement: eliminates the static Base64 suffix that made v1 domains predictable
The DGA regenerates weekly, producing new domains that the operators pre-register.
C2 Communication¶
| Component | Details |
|---|---|
| Encryption | RC4 with hardcoded key |
| Encoding | Base64 over encrypted payload |
| Protocol | HTTPS POST |
| Fallback | DGA-generated domains when primary C2 is down |
Anti-Analysis¶
| Technique | Details |
|---|---|
| String obfuscation | Custom routine across all versions |
| Emulator detection | Checks build properties and hardware identifiers |
| DGA | Makes C2 takedown difficult |
| Low AV detection | Minimal static signatures at time of discovery |
Target Regions and Financial Institutions¶
| Period | Targeted Countries |
|---|---|
| Oct-Dec 2021 | UK, Italy, US |
| Early 2022 | UK, Italy |
| Aug 2022 | Expanded to Spain, Australia, Poland, Germany, US, Austria |
Fox-IT observed the target expansion in August 2022 when new C2 servers began serving target lists including banks beyond the original UK/Italy focus. Targeted institutions include traditional banks and cryptocurrency exchanges.
Notable Campaigns¶
October-November 2021: Cleafy's initial disclosure documented the first SharkBot botnet targeting UK, Italian, and US banking apps and cryptocurrency exchanges.
March 2022: NCC Group and Fox-IT published detailed analysis of SharkBot distributed through Google Play as fake antivirus apps, with 15,000+ installs across the UK and Italy.
April 2022: SharkBot resurfaced on Google Play behind seven new apps after the initial batch was removed.
September 2022: Fox-IT documented SharkBot v2.25 with the new cookie-stealing capability and MD5-based DGA, distributed through fake antivirus and cleaner apps.
November 2022: SharkBot appeared in file manager apps on Google Play, targeting users primarily in the UK, Italy, and expanded European markets.
February 2025: Cyble documented SharkBot v1.63 with improved stealth capabilities, confirming the malware remains under active development.