Fake versions of Android apps are used by cyber criminals to infect users with malicious Trojans. This malware would be installed after downloading a fake ad blocker.
TeaBot – also known as Anatsa – is able to take full control over Android devices remotely, allowing cybercriminals to steal bank data and other sensitive information using keylogging and dialing. theft of authentication codes.
The malware first appeared in December of last year and the campaign remains active. The authors of TeaBot attempt to trick their victims into downloading the malware by disguising it as fake versions of legitimate and popular apps, the true versions of which have often been downloaded millions of times.
As Bitdefender cybersecurity researchers detail, spoofed Android apps include antivirus, open source VLC media player, audiobook players, and more. Their malicious versions use slightly different names and logos.
Malicious apps are not hosted on the Google Play Store, but on third-party websites. But how users are directed to these sites remains a mystery to researchers.
One of the ways of directing victims to malicious apps is by using a bogus ad blocker app that acts as a “dropper”, although it is not known how victims are directed to the ad blocker. The fake ad blocker has no real functionality, but asks for permissions to display on top of other apps, show notifications, and install apps outside of the Google Play Store – the fake apps that are hidden after you been installed.
TeaBot targets Europe
However, these hidden apps repeatedly show fake ads. Ironically, they often claim that the smartphone has been infected with a malicious application, encouraging the user to click on a link to find the solution. This is what downloads TeaBot to the device. The infection method may seem convoluted, but breaking it down into several stages makes detection of the malware less likely.
TeaBot appears to be focusing on Western Europe, with Spain and Italy being the main hotbeds of infection. However, users in the UK, France, Belgium, the Netherlands and Austria are also frequently targeted.
The campaign remains active, and while many distribution methods outside of the bogus ad blocker remain unknown, there are precautions that users can take to avoid falling victim to it. “Never install apps outside of the official store. Likewise, never click on links in messages and always pay attention to the permissions of your Android applications, ”Bitdefender researchers advise in the blog post.