SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store

SharkBot is an Android banking malware distributed as a fake antivirus via the Google Play Store that abuses Accessibility Services and a novel Automatic Transfer System (ATS) to automate fraudulent transfers and bypass MFA; the report provides technical analysis of its C2 protocol (RC4+RSA), DGA, command set, propagation via notification auto-reply, sample hashes, C2 domains and public keys, and notes observed distribution and dropper behavior.