The criminals are now resorting to creating fake versions of popular apps in order to infect users with Trojan malware. The Android trojans Teabot and Flubot steal bank details through fake apps that infect Android devices in Europe, Bitdefender warns.
Bitdefender security team has identified five new apps that impersonate legitimate ones and drop banking Trojans.
The fake apps that contain Trojans are based off of popular apps on Google Play but are distributed through third-party websites.
The start of this fake Android apps campaign dates to December 2020, earlier than Cleafy cybersecurity researchers previously identified. https://cyberintelmag.com/malware-viruses/new-android-banking-trojan-steals-users-credentials-in-europe/
In addition, Bitdefender has identified a new method that attackers used to distribute the Teabot (also Anatsa), via a fake Ad Blocker application. Researchers say most likely the attackers use other delivery methods as well.
Unlike Teabot, Flubot didn’t rely on fake apps but was delivered in spam SMS.
Teabot/Anatsa is used by attackers to remotely control Android devices and steal sensitive information. They achieve this by keylogging and stealing authentication codes.
Attackers created phoney versions of various Android apps, such as antivirus apps, the VLC open source media player, audiobook players. They trick users into downloading a fake version of the apps. Although they aren’t being distributed by Google, they are still getting distributed through other means. The majority of the malicious apps are hosted on third-party websites.
One of the ways that victims are targeted is through a fake ad blocker app. This app acts as a dropper and can trick victims into downloading other malicious apps. The fake ad blocker asks for permissions to display and install apps from outside the Google Play Store that hide after installation.
These apps will often show phony adverts claiming that a victim’s device has been damaged by a malicious app and prompting the user to open a link to the solution which downloads TeaBot onto their device.
Most of the infections by TeaBot are directed at users in Western Europe, with Spain and Italy getting the majority of hits.
The campaign is still active, researchers warn, and advise that users should take simple precautionary measures to avoid becoming a victim:
“Never to install apps outside the official store. Also, never tap on links in messages and always be mindful of your Android apps’ permissions,” Bitdefender researchers advised in the blog post.