Sharkbot is back in Google Play

This report documents a Google Play-based campaign distributing a Sharkbot dropper that tricks users into installing Sharkbot banking malware as fake antivirus updates. The dropper avoids Accessibility abuse to evade detection, requests and installs the APK after user approval, and Sharkbot v2.25–2.26 adds cookie-stealing via WebView alongside existing overlay injections, keylogging, SMS interception and remote ATS control; the report provides IOCs (sample hashes, C2 domain browntrawler.store and IP 185.212.47.113) and notes expanded targeting across multiple countries and banking apps.