Security researchers have found a new batch of malicious Android applications trying to lure victims by impersonating popular applications. The targeted applications were mostly from renowned financial institutions while spreading TeaBot and FluBot trojans.
What has been discovered?
Attackers are imitating genuine applications of popular banking and financial services across Europe, South America, Africa, and some parts of Asia.
Five malicious applications were discovered spreading TeaBot, masquerading as banking apps, targeting customers of Santander bank, Liberbank, Openbank, BBVA Spain, and BBVA Mexico, among others.
A FluBot campaign was observed imitating postal and logistic service apps, including DHL Express Mobile, FedEx Mobile, and Correos. It was targeting victims across Germany, Spain, Italy, the U.K, Sweden, and others.
Delivery mechanism
The operators of the campaigns used interesting methods to deliver the malware that has been mentioned here. These methods would achieve their purpose via keylogging or stealing authentication codes.
Attackers were found using a fake Ad Blocker app as a delivery mechanism for dropping TeaBot.
In addition, two applications with the package names ‘com.intensive.sound’ and ‘com.anaconda.brave’, that were imitating fake Ad Blocker apps, were used to download the malware. These were identified as Android.Trojan.HiddenApp.AID.
FluBot operators were found using spam SMS to send the malicious URL to the targets. It steals the real names and numbers from the victim’s device and uses them to send more fake SMS carrying malicious links from the user’s device itself.
Researchers have mentioned that besides the distribution methods identified so far, attackers may be using several more methods that are yet to be discovered.
Conclusion
The use of fake or lookalike malicious applications has been an old yet popular and effective method to spread malware. Therefore, security experts recommend strictly avoiding the installation of applications from outside official app stores and avoiding links received in messages from unknown sources.