Widespread Android FluBot and TeaBot Malware Campaigns

Widespread Android FluBot and TeaBot Malware Campaigns

Short News:-

There have been more than 100,000 SMS messages attempting to distribute Flubot malware since December. QR Code Scanner Apps disguise themselves as TeaBot. An Android trojan called TeaBot was discovered lurking in the Google Play Store between December 6, 2021, and January 17, 2022. Anatsa dropper apps, including 2FA Authenticator, QR Scanner APK, QR Code Scan, and Smart Cleaner, have been found on Google's Play Store. The apps are believed to have paid to appear in Google Ads served within other legitimate applications and games.

Zimperium zLabs has revealed details of yet another premium service abuse campaign similar to GriftHorse. As many as 470 apps were used to sign up users for $15 monthly paid services. According to a codenamed "Dark Herring," the scam has been traced back to March 2020.

Detailed News:-

There have been more than 100,000 malicious SMS messages attempting to distribute Flubot malware since the beginning of December, according to researchers from Bitdefender's Mobile Threats Team.

In a report published Wednesday, the Romanian cybersecurity firm outlined findings that indicate attackers are modifying their subject lines and using older but proven scams to entice users to click. The attackers, on the other hand, are constantly shifting the countries they're targeting in this campaign.

Attacks began spreading to newer countries like Romania, the Netherlands, and Thailand around the middle of January, with the most activity concentrated in Australia, Germany, Poland, and other European countries.

QR Code Scanner Apps are what TeaBot pretends to be.

FluBot isn't the only one. More than 100,000 people downloaded an Android app called "QR Code Reader - Scanner App" between December 6, 2021, and January 17, 2022, which delivered 17 different variants of the TeaBot (aka Anatsa) trojan to their devices.

While the app does deliver what it promises, the app also retrieves a malicious APK file hosted on GitHub, but only after verifying that the country code of the current registered operator does not begin with a "U."

Finally, an infected app is installed, which requires the user's permission to install from untrusted sources in order to complete the process.

QR Code Scanner Apps disguise themselves as TeaBot.

FluBot isn't the only one. "QR Code Reader - Scanner App" is a new Android trojan called TeaBot (aka Anatsa) that was discovered lurking in the Google Play Store between December 6, 2021, and January 17, 2022, with more than 100,000 downloads.

However, in an increasingly common tactic, the app offers the promised functionality while also attempting to retrieve a malicious APK file hosted on GitHub, but only after verifying that the country code of the current registered operator does not begin with the letter "U."

An add-on update is required, and that setting to allow installs from unknown sources must be enabled before the rogue app can be installed, according to the fake user interface presented during installation.

FluBot (also known as Cabassous) campaigns primarily target potential victims via smishing, in which users receive an SMS message asking "Is this you in this video?" and then click on a link that downloads and installs the malicious code.

According to the researchers, "this new vector for banking trojan shows that attackers are looking to expand beyond regular malicious SMS messages," they stated.

More dropper apps, including 2FA Authenticator, QR Scanner APK, QR Code Scan, and Smart Cleaner, have been found on the Play Store since at least April 2021, according to BitDefender.

Additionally, operators are employing a technique known as versioning, which works by first submitting a non-malicious version of an app to Apple's App Store, then updating it with additional malicious features as time goes on.

The malware authors are believed to have paid to appear in Google Ads served within other legitimate applications and games, "giving them screen time in an app that could have millions of users," in addition to circumventing the Play Store's protections.

According to ThreatFabric, a cybersecurity firm in the Netherlands, six Anatsa droppers have been found on the Play Store since June 2021. Users were asked to grant Accessibility Service privileges and permissions to install apps from unknown third-party sources before the "update" could be downloaded and installed on their phones or tablets.

Similarly, Pradeo researchers discovered that the "2FA Authenticator" two-factor authentication app, which was distributed through the Google Play store and downloaded more than 10,000 times, contained a banking trojan named Vultr, which targets financial services in order to steal users' banking information.

Two-factor authentication (also known as 2FA) is being used to spread malware on the devices of its users, according to the researchers. "It has been designed to appear legitimate and offer a real service. As a result, its developers used the open-source Aegis authentication application code to insert malicious code."

Endpoint security director at Zimperium Richard Melick says that malicious actors treat malware like a product, working hard to get around security measures and gain more victims.

"When one version is disrupted, the malicious actors return to developing the next version, especially if the results have been successful. And the mobile endpoint is a lucrative target for attackers, as well "Melick tacked on.

Dark Herring to GriftHorse: a journey

Zimperium zLabs recently revealed details of yet another premium service abuse campaign similar to GriftHorse, which used as many as 470 seemingly innocent apps to sign up users for $15 monthly paid services they were not aware of.

It is estimated that up to 105 million people across more than 70 countries have been affected by the "fleeceware" billing fraud, which has been dubbed "fleeceware."

According to a codenamed "Dark Herring," the scam has been traced back to March 2020, making it the longest-running mobile SMS scam discovered to date.

In spite of the Play Store's purge, trojan apps can still be found in third-party app stores, highlighting the dangers of sideloading applications onto mobile devices.

There were an impressive number of over 470 Android apps, but "the distribution of the applications was extremely well-planned," a Zimperium researcher Aazim Yashwant explained. This false sense of security was bolstered by the fact that the apps themselves worked as promised.