SharkBot Malware Infiltrates Google Play Store

Advisory ID:
September 5, 2022


A new and improved variant of the SharkBot malware has been discovered in the form of a device optimization and antivirus app on the Google Play Store. This malware is said to be targeting Android users' banking logins via apps with tens of thousands of installations.

Description & Consequence

SharkBot is a Trojan malware that was discovered earlier this year and steals user credentials and other data from bank apps. It used Android's Accessibility Services Permissions to display fake windows over banking apps (an overlay attack). The new variant, on the other hand, does not use Accessibility Services and is downloaded and installed as an update after installing and launching a fake app. This enables it to scale easily through Google's app review process.


The deceptive apps that install the SharkBot malware are:

  1. Kylhavy Mobile Security by Kylhavy mobile LTD 
  2. Mister Phone Cleaner by Kristine Soft 


Altogether, the apps have been downloaded over 60,000 times. After the installation and launch, the app will contact the Command and Control (C2) server for the SharkBot APK file thereby prompting the user that an update is available and needs to be installed.

Installing this malware will make one susceptible to:

  1. Interception of text messages (SMS)
  2. Overlay attacks
  3. Threat actors will have remote access and control
  4. Keylogging
  5. Cookie theft – when one logs into their banking app, SharkBot can pilfer the session cookie and forward it to the C2 server.


  1. If you have installed any of the aforementioned apps, remove them immediately!
  2. Be wary of the apps on the Play Store; check app ratings and read user reviews.
  3. Use in-built device optimization features rather than download third-party apps. Also, only install antivirus apps of good repute.
  4. Always make sure devices and Operating Systems are up-to-date.



Related Articles