SharkBot can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.^[1]

SharkBot can use HTTP to send C2 messages to infected devices.^[1]

SharkBot initially poses as a benign application, then malware is downloaded and executed after an application update.^[1]

SharkBot can use the Android "Direct Reply" feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.^[1]

SharkBot contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.^[1]

SharkBot can use RC4 to encrypt C2 payloads.^[1]

SharkBot has used RSA to encrypt the symmetric encryption key used for C2 messages.^[1]

SharkBot can exfiltrate captured user credentials and event logs back to the C2 server.^[1]

SharkBot has C2 commands that can uninstall the app from the infected device.^[1]

SharkBot can download attacker-specified files.^[1]

SharkBot can use accessibility event logging to steal data in text fields.^[1]

SharkBot can use a WebView with a fake log in site to capture banking credentials.^[1]

SharkBot can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.^[1]

SharkBot can use a Domain Generation Algorithm to decode the C2 server location.^[1]

SharkBot can use the "Direct Reply" feature of Android to automatically reply to notifications with a message provided by C2.^[1]

SharkBot can use Accessibility Services to detect which process is in the foreground.^[1]

SharkBot can intercept SMS messages.^[1]

SharkBot can hide and send SMS messages.SharkBot can also change which application is the device’s default SMS handler.^[1]