A slew of popular Android apps are being used as carriers for a fairly popular form of malware targeting banks. The method is, of course, not unheard of. Various malware over the years have disguised their true intentions using the names of beloved and trusted services, with this latest malware simply the most recent example. Here's what you need to know.
The art of deception has always prevailed in the mobile world. For a malware maker, a surefire way to maintain unimpeded access to a device is if the owner themselves lets the malware in. Throughout the years, malicious parties have developed many ways to do just that. Recently, a deceptive app pretended to have access to premium Netflix content from other countries. The malware, once installed, obtained a user's credentials and even monitored the activities of the device it's installed in. Though the app was on the Play Store for only two months, it garnered around 500 downloads. Deceptive malware can still find its market even in 2021.
This latest batch of malware is no different. Reported by Bitdefender researchers, two trojans that targeted bank users — TeaBot and FluBot — are hiding their more nefarious natures under fake versions of popular Android apps. TeaBot, for example, uses deceptive (but believable) versions of VLC, Kaspersky, and Pluto TV. On the other hand, FluBot imitates popular shipping apps DHL and FedEx. Once installed, they can obtain messages, perform keylogging, access Google Authentication codes, and even control the device. However, as they are bank trojans, they focus more on the device's banking apps.
Hiding The Bad Stuff On Android
Though both malwares use imitation, each has their own way of distributing themselves. Fake apps, especially those that use the same name as the original, are usually tracked down and removed from the Play Store eventually. To get around that, TeaBot leads users to links that install the malware from outside the official Play Store. One confirmed method is using a fake Ad Blocker app. It doesn't block apps but still asks permission to draw over other apps. The app then puts out fake notifications that the device was compromised and advertises the malware disguised as legitimate apps. Instead of just using fake apps, FluBot uses direct SMS to distribute itself. Malicious parties obtain an infected device's contacts and then create custom SMS messages and send them straight from the infected device. These messages contain links to download the fake apps.
Avoiding these fake apps shouldn't be difficult, though. The first way to fight against malware is to always install apps from the Google Play Store, rather than through third-party sources. Of course, that might not be enough, especially for apps with seemingly make unbelievable promises. In these cases, it's also important to check an app's developer on the Play Store page to confirm the app is legitimate. As for the fake SMS messages from FluBot, users should always double check why a contact sent a dubious link to them before downloading any Android app attached to a message.
Source: Bitdefender