TeaBot malware can take full control of Android devices
Unlike App Store customers, Android users are technically not forced to make in-app purchases through Google. That’s because the Play Store is not a walled garden like the App Store is and Google allows Android users to sideload apps from a third-party app store. However, by tricking Android users to use such third-party app stores, criminals are persuading Android users to install apps that most likely haven’t been properly vetted leading to the spread of malware.
Bitdefender cites two new banker trojan malware programs called TeaBot and Flubot that help trick Android users into installing what they think are legitimate apps from popular and well-known brands but turn out to be malware-infested. Bitdefender recently found five new malicious Android apps that contain the TeaBot trojan and imitate legitimate Android apps that are popular with at least one app having been installed over 50 million times.
The cybersecurity firm discovered that the infected TeaBot apps use fake Ad Blocker apps to distribute malware. The fake apps ask permission to display over other apps, show notifications, and install apps outside of the Play Store. Once these apps are installed, their icons are hidden.
Make no mistake about it, TeaBot has the potential to do some serious damage including “overlay attacks via Android Accessibility Services, intercept messages, perform various keylogging activities, steal Google Authentication codes, and even take full remote control of Android devices.”
Flubot imitates shipping apps like DHL Express Mobile with over 1 million installs from the Google Play Store, Fedex with over 5 million Android installations, and Correos with over 500,000 downloads.
There is actually a way to protect yourself from having this malware infect your phone. Bitdefender suggests that you never, ever sideload apps on your device, In other words, stick to the App Store and the Google Play Store when installing apps for your iOS and Android devices respectively. Also, you should never tap on links in messages, and “always be mindful of your Android apps’ permissions.”
Flubot is spread through SMS spam
The fake apps containing the TeaBot payload are designed to look like the real thing although some of them have small changes in their label name and icon. For example, the real version of streaming television app Pluto TV has a label that reads “Pluto TV-it’s free TV.” The fake and infected version of the app has no space between Pluto and TV and reads “PlutoTV.”
Nearly 93% of the fake apps trying to distribute TeaBot come from an app called MediaPlayer that tries to imitate one of the most popular titles in the Google Play Store, VLC. The latter is a “free and open source cross-platform multimedia player” with over 100 million installations. Note the big difference in the icon between the clean and infected versions of the app.
79.5% of Teabot malware has been discovered in Spain with 11.18% disseminated in Italy and 4.6% distributed in the Netherlands.