New FluBot and TeaBot malware distribution efforts have been discovered in Australia, Germany, Poland, Spain, and Romania, employing traditional smishing lures or laced programs targeting Android users. Phony courier messages, “Is this you in this video?” coaxes, fake browser updates, and deceptive voicemail alerts are among the SMS subjects used to spread the FluBot malware.
Researchers at Bitdefender Labs followed the latest FluBot campaign, intercepting over 100,000 infected SMS since December 2021, demonstrating the threat actor’s vast volume of distribution. According to the research, FluBot operators attack in short-term waves, including different lures for each region.
After infecting one device, the malware exploits the victim’s contact list to send out other SMS lures, resulting in higher infection rates owing to receivers’ confidence in known contacts and continuing growth. FluBot distribution has continued throughout 2021, and reports of high-volume 2022 activity show that its operators aren’t yet ready to give up.
TeaBot is a separate Android banking malware that has a worldwide reach and was identified in January 2021. According to Bitdefender, TeaBot has appeared on the Play Store numerous times since December 2021. Researchers said that TeaBot is transmitted to unwary users via trojanized apps on the Google Play Store, including:
- QR Code Reader – Scanner App – 100,000 downloads
- QR Code Scan – 10,000 downloads
- Smart Cleaner – 1,000 downloads
- Weather Daily – 10,000 downloads
- QR Scanner APK – 10,000 downloads
- Weather Cast – 10,000 downloads
None of these apps had harmful code, and they all delivered on their promises, allowing them to pass the Google Play Store’s approval process and reach a larger infection pool. Furthermore, the actors aggressively pushed these apps by paying for placement in Google Ads that appeared in other apps and games.
The applications, however, began a background service that checked the country code and halted if the result was Ukraine, Uzbekistan, Uruguay, or the US once they were loaded and ran on the victim’s device. The app retrieved all other victims’ configurations and downloaded an APK from a GitHub repository containing a TeaBot variant. Simultaneously, the applications requested the user enable packages to be installed from third-party sources.
Bitdefender investigators discovered 17 distinct versions of TeaBot infecting devices using the specified applications between December 6, 2021 and January 17, 2022. The TeaBot campaign demonstrates that installing apps from the Google Play Store doesn’t ensure safety. Thus, it’s best to be cautious when installing new apps, read user reviews, keep an eye on the app’s network and battery consumption, and only allow non-risky permissions.
Note that this isn’t the first time TeaBot has gained access to the Play Store via laced applications, and it’s unlikely to be the last.