Cyber criminals are now using fake versions of popular Android applications in order to infect victims with trojan malware – which are only installed after the user downloads a fake ad blocker.
TeaBot – also known as Anatsa – is able to take full remote control of Android devices, allowing cyber criminals to steal bank details and other sensitive information with the aid of keylogging and stealing authentication codes.
The malware first emerged in December last year and the campaign remains active. The authors of TeaBot attempt to trick victims into downloading the malware by disguising it as fake versions of popular apps, the real versions of which often have often been downloaded millions of times.
As detailed by cybersecurity researchers at Bitdefender here, these include phoney versions of Android apps including antivirus apps, the VLC open source media player, audiobook players and more. The malicious version of the apps use slightly different names and logos to the real ones.
The malicious apps aren’t being distributed by the official Google Play Store, but are hosted on third-party websites – although many of the ways people are directed to them still remains a mystery to researchers.
One of the ways the victims are driven towards the malicious apps is via a fake ad blocker app which acts as a dropper – although it’s unknown how victims are directed towards the ad blocker in the first place.
The fake ad blocker doesn’t have any real functionality, but asks for permissions to display over other applications, show notifications and install apps from outside Google Play – the fake apps which are hidden after they’re installed.
However, these hidden apps will repeatedly show phoney adverts – ironically, often claiming that the smartphone has been damaged by a malicious app – encouraging the user to click a link for the solution. It’s this which downloads TeaBot onto the device.
The method of infection might appear convoluted, but dividing it over a number of steps makes it less likely that the malware will be detected.
TeaBot appears to concentrate much of its targeting on Western Europe, with Spain and Italy the current hotspots for infections – although users in the UK, France, Belgium, the Netherlands and Austria are also frequent targets.
The campaign remains active and while many of the methods of distribution outside the fake Ad Blocker remain unknown, there are precautions which users can take to avoid becoming a victim.
“Never to install apps outside the official store. Also, never tap on links in messages and always be mindful of your Android apps’ permissions,” Bitdefender researchers advised in the blog post.
MORE ON CYBERSECURITY