Cybercriminals are now using fake versions of popular Android applications to infect victims with trojan malware – which is only installed after the user downloads a fake ad blocker.
TeaBot – also known as Anatsa – is able to take full remote control of Android devices, allowing cybercriminals to steal bank details and other sensitive information using key logging and steal authentication codes.
The malware first appeared in December last year, and the campaign remains active. The authors of TeaBot try to trick victims into downloading malicious software by disguising it as fake versions of popular apps, the real versions of which have often been downloaded millions of times.
As described by cybersecurity researchers at Bitdefender here, these include fake versions of Android apps, including antivirus apps, VLC open source media player, audiobook players and more. The malicious version of the apps uses slightly different names and logos for the real ones.
The malicious apps are not distributed by the official Google Play Store, but are hosted on third-party websites ̵
SEE: Cyber security: Let’s be tactical (ZDNet / TechRepublic Special Feature) | Download the free PDF version (TechRepublic)
One of the ways victims are driven against malicious apps is through a fake app blocker app that acts as a dropper – although it is initially unknown how victims are targeted at the ad blocker.
The fake ad blocker has no real functionality, but asks permission to appear over other applications, display alerts and install apps outside of Google Play – the fake apps that are hidden after they are installed.
However, these hidden apps will repeatedly show fake ads – ironically, and often claim that the smartphone has been damaged by a malicious app – and encourage the user to click on a link for the solution. This is what downloads TeaBot to the device.
The method of infection may seem complicated, but dividing it over several steps makes it less likely that malicious software will be detected.
TeaBot seems to be concentrating heavily on Western Europe, with Spain and Italy the current hotspots for infections – although users in the UK, France, Belgium, the Netherlands and Austria are also frequent targets.
The campaign remains active, and although many of the distribution methods outside the fake Ad Blocker remain unknown, there are precautions that users can take to avoid becoming a victim.
“Never install apps outside the official store. Also, never click on links in messages and always be aware of the permissions of your Android apps,” Bitdefender researchers said in the blog post.
MORE ABOUT CYBER SECURITY