June 7, 2023

Researchers are warning about SharkBot malware was found in several file manager Android apps on the Google Play Store, some of them with thousands of downloads.

In general, Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to alternate methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware.

This was the case with several file manager apps, which were disguised as such to justify the request for permission to install external packages from the user.


Though the discovered apps are no longer available on the Google Play Store, they can still be found in different third-party stores, making them a current threat.

The first analyzed by the Bitdefender team was ‘X-File Manager,’ counting over 10,000 installs before it was deleted. ‘FileVoyager’ was the second one, counting roughly 5,000 downloads.

Two more apps were found following the same pattern, but they were never available on the Google Play store. They are called ‘Phone AID, Cleaner, Booster’ and ‘LiteCleaner M’ and were discovered on the web through third-party app stores.

Most users who downloaded the malicious apps were from the United Kingdom (80.6%) and Italy (16.2%), with a small minority in other countries.

This research was documented by researchers from Bitdefender Firm


Other Apps Monitored by the malware

Package nameFinancial institution
com.bankofireland.mobilebankingBank of Ireland Mobile Banking
com.cooperativebank.bankThe Co-operative Bank
ftb.ibank.androidAIB (NI) Mobile
com.nearform.ptsbpermanent tsb
uk.co.mbna.cardservices.androidMBNA Mobile App
com.danskebank.mobilebank3.ukMobile Bank UK – Danske Bank
com.tescobank.mobileTesco Bank and Clubcard Pay+
com.virginmoney.uk.mobile.androidVirgin Money Mobile Banking
com.cooperativebank.smile “smile – the internet bank”
com.starlingbank.androidStarling Bank – Mobile Banking
uk.co.metrobankonline.mobile.android.productionMetro Bank
uk.co.santander.santanderUKSantander Mobile Banking
uk.co.hsbc.hsbcukmobilebankingHSBC UK Mobile Banking
uk.co.tsb.newmobilebankTSB Mobile Banking
com.grppl.android.shell.BOSBank of Scotland Mobile App
com.grppl.android.shell.halifaxHalifax Mobile Banking
com.grppl.android.shell.CMBlloydsTSB73Lloyds Bank Mobile Banking
it.copergmps.rt.pf.android.sp.bmpsBanca MPS
it.relaxbankingRelaxBanking Mobile
it.bnl.apps.enterprise.hellobankHello Bank!
it.ingdirect.appING Italia
com.latuabancaperandroidIntesa Sanpaolo Mobile
com.latuabancaperandroid.pg Intesa Sanpaolo Business
com.latuabancaperandroid.ispbIntesa Sanpaolo Private
com.bmo.mobileBMO Mobile Banking
com.fideuram.alfabetobankingAlfabeto Banking
com.lynxspa.bancopopolareYouApp – Mobile Banking

Indicators Of Compromise

Package name

  • com.victorsoftice.llc
  • com.potsepko9.FileManagerApp
  • com.sidalistudio.developer.app
  • com.ltdevelopergroups.litecleaner.m

File Hashes

  • fa7947933a3561b7174f1d94472dcf8633a03749c14342ce65dafe94db361140
  • 5481908f7cf651fde7b902f70c5c6f900a413de5976e1e0ba2b60c44f2a060c4
  • 5ee5894c2be17c542601c113225862129ed96da6e6bd0d80c5ef0d500ad21fe3
  • 0fb6f45af7834c742db0c7b68a61d177c49bb4c59e19640c62723c6b38a777ad
  • 6f1eb9c21b026eecfd65459ec4cffe3954d24619010741e18722108d7bacf3d1
  • 5e858fa31abe3b048be815a96234daa1123a9aab113d6f80b95dbf9437fb7343
  • e2d2e7683e07c5ffa7b5475433057cec5c2993167f47ea650941f9871923792d
  • 72512e7de8099e66beb9b4395b8c4a5c1dfd413c85977a31480ff8bd68b2ca6e
  • 218c6e2327c8342192dc58c6e793fc3d5cba7f15e4b2f188c98cd4ba48bf244a
  • 844efceeeeff73da35ac13c217ad5723c456ecec01fada7f92b9203fc29e7dcd
  • 25e2a148a586acc6b741a64f42c618796a08ec9745eb3d1170acabf9e732a366
  • 900fe34d5394689c86ead76666e79620ad7a10109c75d661af9bc7d8fb0c27b8
  • b45edcbdfe9ad1a1990d723dca4405014a4fa1c578b75799219a4298b16175de
  • 618ee1e79a927c57831527faf19739276f2706b6200ee8f52aa0eb0c66de6828

Leave a Reply

%d bloggers like this: