Security News > 2022 > March > SharkBot malware hides as Android antivirus in Google Play
SharkBot banking malware has infiltrated the Google Play Store, the official Android app repository, posing as an antivirus with system cleaning capabilities.
SharkBot was discovered in Google Play by researchers at the NCC Group, who today published a detailed technical analysis of the malware.
Remote control/ATS: Sharkbot has the ability to obtain full remote control of an Android device.
To perform the above, SharkBot abuses the Accessibility permission on Android and then grants itself additional permissions as needed.
One of the notable differences between SharkBot and other Android banking trojans is the use of the relatively new components that leverages the 'Direct reply' feature for notifications.
SharkBot can now intercept new notifications and reply to them with messages coming directly from the C2. As noted in the NCC report, SharkBot uses this feature to drop feature-rich payloads onto the compromised device by replying with a shortened Bit.ly URL. The initial SharkBot dropper app contains a light version of the actual malware to reduce the risk of detection and app store rejections.
News URL
Related news
- New North Korean Android spyware slips onto Google Play (source)
- Malicious Android 'Vapor' apps on Google Play installed 60 million times (source)
- Vo1d malware botnet grows to 1.6 million Android TVs worldwide (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- How Google tracks Android device users before they've even opened an app (source)
- Google fixes Android zero-day exploited by Serbian authorities (source)
- Google expands Android AI scam detection to more Pixel devices (source)
- Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud (source)
- BadBox malware disrupted on 500K infected Android devices (source)
- North Korea’s ScarCruft Deploys KoSpy Malware, Spying on Android Users via Fake Utility Apps (source)