Skip to main content


Home SharkBot

SharkBot

Also known as: (no prominent aliases)

Category: Malware

Type: Remote access trojan (RAT), banking trojan, spyware, backdoor, keylogger

Platform: Android

Variants: SharkBot 2

Damage potential: Stolen financial information, stolen personal information, monetary loss, redirection to malicious web pages, keylogging, opening backdoors for other malware (like ransomware), takeover of the victim’s device

Overview

SharkBot is a family of banking trojans that targets Android devices. It was first discovered in October 2021, showing up in fake apps on Google Play in March of the next year. SharkBot attempts to gain control over the victim’s device by exploiting Android accessibility services, which include screen reading aids and simulated touchscreen interactions. Once it has sufficient control, SharkBot usually uses the Automatic Transfer Systems feature to bypass protections like 2FA and funnel money out of the victim’s bank account.

Possible symptoms

Once installed, the app hiding SharkBot will keep asking for permission to access Android accessibility services. If permission is granted, SharkBot will start to quietly work in the background to log passwords and steal funds from the victim. At this stage, the malware will employ obfuscation and anti-analysis techniques to avoid detection.

Possible indicators of an SharkBot infection include:

  • Your device frequently freezes or stutters.
  • You realize you’ve been redirected to a fake website after clicking a legitimate link.
  • Other malware appears on your device without a known cause.
  • Your device keeps overheating, even when idle.
  • Your device periodically sends data to unknown remote servers (SharkBot is uploading device information to its handlers).
  • You notice that money has been sent to strangers from your bank account.

Sources of the infection

SharkBot aims to spread through fake or infected apps on Google Play, although such apps are quickly taken down once discovered. Known SharkBot carriers include FileVoyager, LiteCleaner M, Phone AID, Cleaner, Booster, X-File Manager, Mister Phone Cleaner” and Kylhavy Mobile Security. SharkBot can also masquerade as a cracked version of a paid app on a third-party website, tempting victims to bypass Google’s protections to save money.

Your device may also get infected with SharkBot from:

  • Infected attachments to phishing emails.
  • Infected files shared through messaging platforms.
  • Infected files downloaded from cloud storage or online repositories.
  • Other viruses that drop SharkBot as part of their operations.
  • Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
  • Peer-to-peer (P2P) sharing of infected files.
  • Infected external devices, such as hard drives or USB sticks.

Protection

The best defense against SharkBot is good cyber hygiene. Before downloading an app from Google Play, make sure to read the user reviews and do a little research online to see if it is infected. Do not download .apk files from third-party websites that you do not trust completely. Finally, be on the lookout for apps that keep asking for permissions that they shouldn’t need after installation — they may be trying to hijack your device’s functions.

Other protective measures include:

  • Use email scanning tools to identify and automatically block messages with suspicious attachments.
  • Use reliable antivirus software to detect, quarantine, and eliminate a SharkBot infection.
  • Use multi-factor authentication to protect your accounts in the event that someone steals your credentials using SharkBot.
  • Avoid potentially dangerous websites like dark web pages or torrent repositories. Apps hosted on third-party sites may be deliberately infected with SharkBot.
  • Use NordVPN’s Threat Protection Pro™ to scan programs and files for malware while they’re being downloaded. Along with the malware blocker, the feature also includes tools such as scam and fraud alert, which warns you when entering a known infected website, preventing drive-by download attacks..

Removal

To remove a SharkBot infection, use a reputable antivirus solution. Do not try to remove it manually — SharkBot frequently deploys persistence mechanisms to resurface at a later date.