According to BitDefender computer security researchers, two extremely dangerous pieces of malware continue to circulate, years after their first appearance. FluBot and TeaBot malware are actively being spread through hundreds of thousands of text messages and apps that are authorized by the Google Play Store.
Typically, malware and scams have a rather limited lifespan. Once identified by computer security researchers and countered by possible solutions, hackers have no choice but to fall back on other methods. Nevertheless, some malware signs and persists, continuing to claim victims years after they were first released.
This is particularly the case with FluBot and TeaBot malware. The first is spread via hundreds of thousands of fake text messages that urge the user to install a fake Android update. This is not the only bait used, these SMS also pretexting a delivery of parcels, the need to update Flash Player, or a missed voice message. Since the beginning of December 2021, BitDefender computer security researchers have intercepted more than 100,000 malicious text messages aimed at spreading FluBot in many countries.
Also read: Facebook: beware of the “is that you on this video?” scam
Android malware FluBot and TeaBot continue to run rampant
As for Teabot, this malware has already been talked about in May 2021. In particular, it spies on SMS to thwart double authentication and obtain the codes for log in to your banking services. BitDefender specialists found a variant of the malware in a QR Code reader app available on the Play Store and called “QR Code Reader”. After further investigation, the researchers found that this app, which has more than 100,000 downloads, has distributed no less than 17 variants of TeaBot for over a month.
The app itself is not malicious and it offers the expected functionality. The malicious code contained in the app has a minimal footprint, which prevents it from being detected by Play Store security systems. When the user launches it, it also starts a background service that checks the country code of the victim’s operator. If the country is in the pirate list, the app retrieves the context from a settings file from GitHub at the following address:
“raw.githubusercontent[.]com/isaagluten/qrbarcode/main/settings”
According to BitDefender, this file contains a different link from the GitHub repository file pointing to the actual payload to download. BitDefender’s report also ends with an analysis of the geographical distribution of threats. After having mainly targeted Australia, Germany and Poland, it seems that Romania (72%), Poland (9.3%) and the Netherlands (8.9%).
Source: BitDefender
