Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Teabot. Show all posts

Android Malware in Google Play Stealing Victim's Data

 

Cyber threat intelligence warned the users that an Android banking malware ‘TeaBot’ stealing users' private data and SMS messages has been downloaded thousands of times via Google Play Store. According to the experts, 'TeaBot,' is an Android banking trojan that first came to be known at the beginning of 2021 as a trojan designed to steal victims' text messages. 

According to the online fraud management and prevention solution Cleafy, in the initial phase, TeaBot was distributed through smashing campaigns using a predefined list of lures, such as VLC Media Player, TeaTV, DHL and UPS, and others. 

Following the incident, the researchers said that "In the last months, we detected a major increase of targets which now count more than 400 applications, including banks, crypto exchanges/wallets, and digital insurance, and new countries such as Russia, Hong Kong, and the US." 

From February, TeaBot Trojan has started supporting new foreign languages including Russian, Mandarin Chinese, and Slovak. It helps cybercriminals in displaying custom messages during the installation phases. 

On February 21, the Threat Intelligence and Incident Response (TIR) team from Cleafy has detected an application and published it on the official Google Play Store, which was acting as a dropper application delivering TeaBot with a fake update procedure. Once downloaded by the user, the dropper will ask them to update immediately through a popup message. 

"The dropper lies behind a common QR Code & Barcode Scanner and it has been downloaded more than 10,000 times. All the reviews display the app as legitimate and well-functioning," the team added.

Threat Actors Blanket Androids with Flubot & Teabot Campaigns

 

Researchers have found a bundle of dynamic campaigns transmitting the Flubot and Teabot trojans through a variety of delivery strategies, with threat actors utilizing smishing and pernicious Google Play applications to target victims with fly-by assaults in different locations across the globe. 

Specialists from Bitdefender Labs said they have caught more than 100,000 malignant SMS messages attempting to transmit Flubot malware since the start of December, as indicated by a report distributed Wednesday. 

During their analysis of Flubot, the team additionally found a QR code-peruser application that has been downloaded more than 100,000 times from the Google Play store and which has disseminated 17 different Teabot variations, they said. 

Flubot and Teabot surfaced on the scene last year as somewhat clear financial trojans that take banking, contact, SMS and different kinds of private information from infected gadgets. Be that as it may, the administrators behind them have interesting strategies for spreading the malware, making them especially nasty and expansive. 
 
Flubot was first founded in April focusing on Android clients in the United Kingdom and Europe using noxious SMS messages that nudged recipients to introduce a "missed package delivery" application, exhibiting a component of the malware that allows attackers to utilize command and control (C2) to send messages to victims. 

This feature permits administrators to rapidly change targets and other malware highlights on the fly, augmenting their assault surface to a worldwide scale without requiring a complex framework. For sure, campaigns later in the year targeted Android users in New Zealand and Finland. 

“These threats survive because they come in waves with different messages and in different time zones,” Bitdefender researchers wrote in the report. 

“While the malware itself remains pretty static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing. For example, in the month between Dec. 1 of last year and Jan. 2 of this year, the malware was highly active in Australia, Germany, Spain, Italy and a few other European countries.”   

Campaigns between Jan. 15 and Jan. 18 then, at that point, moved to different parts of the globe, including Romania, Poland, the Netherlands, Spain and even Thailand, they found. 
 
Attackers likewise spread out past attempting to fool users into thinking they missed a package delivery- what Bitdefender named "fake courier messages" - to disseminate Flubot. However this strategy was available in almost 52% of campaigns specialists noticed, they likewise utilized a trick named "is this you in this video" that is a take-off of a credential-stealing campaign that has been streaming steadily via web-based media in around 25% of noticed missions, analysts wrote. 

“When the victim clicks on the link, it usually redirects them to a fake Facebook login that gives attackers direct access to credentials,” researchers explained. 

Flubot administrators have gotten on this trick and are involving a variety of it in one of the smishing efforts noticed, with clients getting an SMS message that inquires, "Is this you in this video?" researchers noted. In any case, the objective of the mission is very similar: to some way or another trick users into installing the software under some cover. 

“This new vector for banking trojans shows that attackers are looking to expand past the regular malicious SMS messages.”
  
Among different lures, Flubot administrators likewise utilized SMS messages utilizing counterfeit program updates and phoney phone message notices in around 8% of noticed campaigns, separately, analysts stated.