FluBot and TeaBot malware are back on Android

Some malware manage to readjust, disappearing for a few months and then returning to the office with different objectives or methods: this is the case with TeaBot And FluBot, trojans (re) discovered by researchers Bitdefender in these days. Let’s see how they attack so we know how to defend ourselves.

Still malware charging with TeaBot and FluBot: finding them is not difficult with a little attention

We have already met TeaBot and FluBot in recent months, malware that hide inside apparently harmless applications and that spread mostly via SMS, sent from already compromised devices with the intent to attack others. These are basically banking Trojans, which try to steal account access data, but also contacts, SMS and other types of private data: among their capabilities we also have that of commanding and controlling messages, which allows them to adapt depending on banks and countries.

What are the SMS messages to watch out for not to get fooled? According to Bitdefender Labs, which has intercepted more than 100,000 malicious SMS of this type since the beginning of December (which are intended to spread FluBot), they are mainly those of fake couriers (51.85%) and the classic “is that you in this video?” (25.03%). Further scam attempts based on bogus browser updates, bogus voicemail messages, bogus system updates and so on follow at a distance.

In recent weeks, FluBot seems to have concentrated mainly in Australia and Germany, but there are other European countries such as Romania (especially since January), Poland, the Netherlands, Spain and Austria. Under a pretext, malware tries to either steal login data (phishing) or have malicious software installed.

The Google Play Store remains the safest place to download and install apps for Android, but as already demonstrated in the past there are problems, in this case related to the banking trojan TeaBot (or rather, a “variant” of it). The investigations led to the app called “QR Code Reader – Scanner App”, with more than 100,000 downloads: the latter helped distribute 17 versions of the malware in question for just over a month.

How does it work? The app seems to work for what it was designed, but in the background a service acts that checks the international prefix of the current operator: if it discovers a country that begins with “U” (such as USA, for example) or is not available, the app skips the execution of the malicious code, otherwise it proceeds. A similar system was used for other apps on the Play Store, such as “2FA Authenticator”, “Weather Cast” and “Weather Daily”, which were then fortunately blocked.

Therefore, always pay attention to what you install on your Android smartphone or tablet, even if it comes from the Google Play Store: always pay attention to the permissions requested by the apps (if inconsistent or deemed excessive, avoid taking risks), reviews and the number of installations. If it makes you feel safer, you can also rely on one of the antivirus solutions available for Android.

To learn more about the latest FluBot and TeaBot malware attacks you can follow this link.

Leave a Comment