This Android trojan malware is using fake apps to infect smartphones, steal bank details

TeaBot malware tells victims they need to click a link because the phone is damaged with a virus - and infects them via the link.
Written by Danny Palmer, Senior Writer

Cyber criminals are now using fake versions of popular Android applications to infect victims with trojan malware – and these are only installed after the user downloads a fake ad blocker.

TeaBot – also known as Anatsa – is able to take full remote control of Android devices, allowing cyber criminals to steal bank details and other sensitive information with the aid of keylogging and stealing authentication codes.

The malware first emerged in December last year and the campaign remains active. The authors of TeaBot attempt to trick victims into downloading the malware by disguising it as fake versions of popular apps, the real versions of which have often been downloaded millions of times.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

As detailed by cybersecurity researchers at Bitdefender, these include phoney versions of Android apps including antivirus apps, the VLC open-source media player, audiobook players and more. The malicious versions of the apps use slightly different names and logos to the real ones.

The malicious apps aren't being distributed by the official Google Play Store, but are hosted on third-party websites – although many of the ways people are directed to them still remains a mystery to researchers.

One of the ways the victims are driven towards the malicious apps is via a fake ad blocker app that acts as a dropper – although it's unknown how victims are directed towards the ad blocker in the first place.

The fake ad blocker doesn't have any real functionality, but asks for permissions to display over other applications, show notifications and install apps from outside Google Play – these are fake apps that are hidden after they're installed.

However, these hidden apps will repeatedly show phoney adverts – ironically, often claiming that the smartphone has been damaged by a malicious app – that encourage the user to click a link for the solution. It's clicking this link that downloads TeaBot onto the device.

The method of infection might appear convoluted, but dividing it over a number of steps makes it less likely that the malware will be detected.

TeaBot appears to concentrate much of its targeting on Western Europe, with Spain and Italy the current hotspots for infections – although users in the UK, France, Belgium, the Netherlands and Austria are also frequent targets.

SEE: Ransomware just got very real. And it's likely to get worse

The campaign remains active and, while many of the methods of distribution outside the fake Ad Blocker remain unknown, there are precautions that users can take to avoid becoming a victim.

"Never install apps outside the official store. Also, never tap on links in messages and always be mindful of your Android apps' permissions," Bitdefender researchers advised in the blog post.


Editorial standards