S1055: SharkBot
Analyst context for executives and security teams
SharkBot matters because it is Android banking malware described by MITRE as attempting to initiate money transfers from compromised devices by abusing Accessibility Services. For security leaders, the practical issue is not only one malicious app: it is whether mobile controls can see risky permission abuse, post-install code changes, credential or OTP capture paths, and command-and-control traffic on devices used for business or financial workflows.
Executive priority
Prioritize SharkBot as a mobile fraud and identity-readiness scenario. Leaders should ask whether corporate-managed and BYOD Android devices have enforceable app governance, visibility into Accessibility Services misuse, SMS/notification exposure, and evidence suitable for incident response or audit. This is especially relevant where mobile devices are used for banking, approvals, MFA, privileged access, or customer operations.
Technical view
ATT&CK provides no official detection text for SharkBot, but the relationships give concrete validation areas. SOC and mobile security teams should map Android telemetry to the related behaviors: obfuscated files, runtime code download, keylogging, GUI input capture, process discovery, web-protocol C2, input injection through accessibility APIs, notification access, SMS control and SMS collection, encrypted C2, ingress transfer, DGA use, out-of-band data, exfiltration over C2, malicious app uninstall behavior, and application versioning. Coverage should be tested against both pre-install app reputation controls and post-install behavioral monitoring.
Likely telemetry
- Android app inventory and package/version history
- Requested and granted permissions, especially Accessibility Services, notification access, SMS-related permissions, and default SMS handler status
- Mobile device management or enterprise mobility management compliance events
- Mobile threat defense alerts for suspicious app behavior, runtime code loading, obfuscation, or risky accessibility use
- DNS and web traffic metadata from Android devices, including unusual domains, DGA-like patterns, and HTTPS destinations
Detection direction
- Validate whether tools can detect high-risk combinations rather than single indicators, such as accessibility access plus input injection, notification/SMS access, or runtime code download.
- Tune carefully for legitimate accessibility tools, keyboards, messaging apps, enterprise applications that download modules, and normal encrypted web traffic.
- Review app-version monitoring because ATT&CK links SharkBot to application versioning, where a previously benign app can become malicious after update.
- Check whether DNS and web telemetry can support DGA and web-protocol C2 investigation without relying on full payload visibility.
- Confirm mobile IR procedures preserve app package details, permissions, version history, network destinations, and uninstall traces, since malicious apps may attempt removal.
Mitigation priorities
- Start with mobile app governance: managed app stores, app allowlisting or risk-based blocking, and controls over sideloading where appropriate.
- Restrict or monitor sensitive Android permissions and roles, especially Accessibility Services, notification access, SMS permissions, and default SMS handler assignment.
- Use MDM/UEM and mobile threat defense policies to flag risky app updates, runtime code loading, obfuscation, and suspicious network behavior.
- Reduce dependence on SMS or notification-delivered one-time codes for sensitive workflows where feasible, because related techniques include SMS and notification access.
- Prepare mobile incident response playbooks for isolating a device, collecting app and permission evidence, revoking exposed credentials, and reviewing financial or approval activity.
Analyst notes and limits
The strongest decision value comes from the relationship set: SharkBot is not represented as a single observable but as a cluster of Android mobile behaviors involving accessibility abuse, credential/input capture, SMS and notification access, evasive app behavior, and C2/exfiltration patterns. Treat this as a control-validation use case for mobile visibility and identity-risk workflows.
MITRE does not provide official detection guidance, tactics, aliases, labels, or guaranteed indicators in the supplied object. The external reference identifies a public research article, but no additional details beyond the supplied fields should be assumed. Local device management, privacy constraints, and mobile telemetry availability will determine actual detection and response coverage.
SharkBot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1407 | Download New Code at Runtime | SharkBot can use the Android “Direct Reply” feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.Citationnccgroup_sharkbot_0322 |
| Mobile | T1644 | Out of Band Data | SharkBot can use the “Direct Reply” feature of Android to automatically reply to notifications with a message provided by C2.Citationnccgroup_sharkbot_0322 |
| Mobile | T1646 | Exfiltration Over C2 Channel | SharkBot can exfiltrate captured user credentials and event logs back to the C2 server. Citationnccgroup_sharkbot_0322 |
| Mobile | T1424 | Process Discovery | SharkBot can use Accessibility Services to detect which process is in the foreground.Citationnccgroup_sharkbot_0322 |
| Mobile | T1417.001 | Keylogging Sub-technique | SharkBot can use accessibility event logging to steal data in text fields.Citationnccgroup_sharkbot_0322 |
| Mobile | T1637.001 | Domain Generation Algorithms Sub-technique | SharkBot contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.Citationnccgroup_sharkbot_0322 |
| Mobile | T1630.001 | Uninstall Malicious Application Sub-technique | SharkBot has C2 commands that can uninstall the app from the infected device.Citationnccgroup_sharkbot_0322 |
| Mobile | T1636.004 | SMS Messages Sub-technique | SharkBot can intercept SMS messages.Citationnccgroup_sharkbot_0322 |
| Mobile | T1516 | Input Injection | SharkBot can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.Citationnccgroup_sharkbot_0322 |
| Mobile | T1661 | Application Versioning | SharkBot initially poses as a benign application, then malware is downloaded and executed after an application update.Citationnccgroup_sharkbot_0322 |
| Mobile | T1582 | SMS Control | |
| Mobile | T1544 | Ingress Tool Transfer | SharkBot can download attacker-specified files.Citationnccgroup_sharkbot_0322 |
| Mobile | T1406 | Obfuscated Files or Information | SharkBot can use a Domain Generation Algorithm to decode the C2 server location.Citationnccgroup_sharkbot_0322 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | SharkBot can use a WebView with a fake log in site to capture banking credentials.Citationnccgroup_sharkbot_0322 |
| Mobile | T1521.002 | Asymmetric Cryptography Sub-technique | SharkBot has used RSA to encrypt the symmetric encryption key used for C2 messages.Citationnccgroup_sharkbot_0322 |
| Mobile | T1437.001 | Web Protocols Sub-technique | SharkBot can use HTTP to send C2 messages to infected devices.Citationnccgroup_sharkbot_0322 |
| Mobile | T1521.001 | Symmetric Cryptography Sub-technique | SharkBot can use RC4 to encrypt C2 payloads.Citationnccgroup_sharkbot_0322 |
| Mobile | T1517 | Access Notifications | SharkBot can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.Citationnccgroup_sharkbot_0322 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3c40c484485f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
nccgroup_sharkbot_0322
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
Open source URL -
[2]
mitre-attack S1055Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.