December 9, 2023

Researchers are warning about SharkBot malware was found in several file manager Android apps on the Google Play Store, some of them with thousands of downloads.

In general, Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals resort to alternate methods. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware.

This was the case with several file manager apps, which were disguised as such to justify the request for permission to install external packages from the user.


Though the discovered apps are no longer available on the Google Play Store, they can still be found in different third-party stores, making them a current threat.

The first analyzed by the Bitdefender team was ‘X-File Manager,’ counting over 10,000 installs before it was deleted. ‘FileVoyager’ was the second one, counting roughly 5,000 downloads.

Two more apps were found following the same pattern, but they were never available on the Google Play store. They are called ‘Phone AID, Cleaner, Booster’ and ‘LiteCleaner M’ and were discovered on the web through third-party app stores.

Most users who downloaded the malicious apps were from the United Kingdom (80.6%) and Italy (16.2%), with a small minority in other countries.

This research was documented by researchers from Bitdefender Firm


Other Apps Monitored by the malware

Package nameFinancial institution
com.bankofireland.mobilebankingBank of Ireland Mobile Banking
com.cooperativebank.bankThe Co-operative Bank
ftb.ibank.androidAIB (NI) Mobile
com.nearform.ptsbpermanent tsb Mobile App
com.danskebank.mobilebank3.ukMobile Bank UK – Danske Bank
com.tescobank.mobileTesco Bank and Clubcard Pay+ Money Mobile Banking “smile – the internet bank”
com.starlingbank.androidStarling Bank – Mobile Banking Bank Mobile Banking UK Mobile Banking Mobile Banking of Scotland Mobile App Mobile Banking Bank Mobile Banking MPS
it.relaxbankingRelaxBanking Mobile Bank!
it.ingdirect.appING Italia
com.latuabancaperandroidIntesa Sanpaolo Mobile Intesa Sanpaolo Business
com.latuabancaperandroid.ispbIntesa Sanpaolo Private
com.bmo.mobileBMO Mobile Banking
com.fideuram.alfabetobankingAlfabeto Banking
com.lynxspa.bancopopolareYouApp – Mobile Banking

Indicators Of Compromise

Package name

  • com.potsepko9.FileManagerApp
  • com.ltdevelopergroups.litecleaner.m

File Hashes

  • fa7947933a3561b7174f1d94472dcf8633a03749c14342ce65dafe94db361140
  • 5481908f7cf651fde7b902f70c5c6f900a413de5976e1e0ba2b60c44f2a060c4
  • 5ee5894c2be17c542601c113225862129ed96da6e6bd0d80c5ef0d500ad21fe3
  • 0fb6f45af7834c742db0c7b68a61d177c49bb4c59e19640c62723c6b38a777ad
  • 6f1eb9c21b026eecfd65459ec4cffe3954d24619010741e18722108d7bacf3d1
  • 5e858fa31abe3b048be815a96234daa1123a9aab113d6f80b95dbf9437fb7343
  • e2d2e7683e07c5ffa7b5475433057cec5c2993167f47ea650941f9871923792d
  • 72512e7de8099e66beb9b4395b8c4a5c1dfd413c85977a31480ff8bd68b2ca6e
  • 218c6e2327c8342192dc58c6e793fc3d5cba7f15e4b2f188c98cd4ba48bf244a
  • 844efceeeeff73da35ac13c217ad5723c456ecec01fada7f92b9203fc29e7dcd
  • 25e2a148a586acc6b741a64f42c618796a08ec9745eb3d1170acabf9e732a366
  • 900fe34d5394689c86ead76666e79620ad7a10109c75d661af9bc7d8fb0c27b8
  • b45edcbdfe9ad1a1990d723dca4405014a4fa1c578b75799219a4298b16175de
  • 618ee1e79a927c57831527faf19739276f2706b6200ee8f52aa0eb0c66de6828

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.