Home / Mobile / News / Hackers copying popular apps to infect devices with Teabot and Flubot malware

Hackers copying popular apps to infect devices with Teabot and Flubot malware

The Flubot malware can steal user passwords and infect their phones, requiring a factory reset.  The Flubot malware can steal user passwords and infect their phones, requiring a factory reset. 
The Flubot malware can steal user passwords and infect their phones, requiring a factory reset.  (Unsplash)

The Teabot malware can copy your OTP codes for signing into various services, and steal all your passwords. On weaker and insecure devices, the malware can take complete control.

Malware on mobile devices has been a thorn in the side of users ever since smartphones have existed, but the pandemic has exacerbated the spread of malicious software as more people download apps and rely on software on their phones and tablets. Malware creators are now reportedly targeting users by copying popular apps to get them to download dangerous software onto their devices.

According to a report by security firm Bitdefender, these malware creators have been tricking users into sideloading (or instaling apps outside the main app store) to get past Google’s malware checks. It details the impact of two such notorious malware strains – Teabot and Flubot, which are also known as 'banker trojans'.

Also read: New macOS malware lets attackers record your screen: How to protect your Mac

By taking on the look and feel of popular Android apps like the VideoLAN (VLC) media player, ad blockers, Kaspersky, Pluto TV, FedEx and various banking applications, these maliciously crafted apps trick users into installing them on their devices, after which they begin to adversely affect the system.

Bitdefender says that the apps are distributed via a fake ad blocker app, which “drops” these malicious apps, adding that there could be other ways of delivering the malware. It then disappears from the app list and then the new “fake” apps will start showing users ads randomly, presumably to make money for the malware creators.

[Top] A side-by-side comparison of the real and fake apps. [Bottom] An example of how the app infects a user's device. 
[Top] A side-by-side comparison of the real and fake apps. [Bottom] An example of how the app infects a user's device.  (Bitdefender)

Since these malicious apps are connected to a ‘Command and Control’ (CnC) server, they are able to remotely receive and execute the TeaBot malware. The MediaPlayer APK (copying VLC) file is the one that is most impersonated by the attackers. “Security researchers from Cleafy were the first to identify the malware impersonating the VLC app,” the report states.

The Teabot malware can keep an eye out for all your OTP codes for signing into various services, look at all the characters you type and log keystrokes. On weaker and insecure devices that have not been updated with security fixes, the malware can take complete control.

Read more: New ‘Flubot’ malware steals user passwords: Here how to remove it

Meanwhile, the Flubot malware is slightly less insidious than the Teabot malware, spreading via SMS instead. Bitdefender says that it looked at hundreds of SMS and found that the attackers stole real names and phone numbers, sending them to their servers. It then sends specially crafted messages back to the phone which are then spread by the Flubot malware.

In order to stay safe, users must make sure they don’t download any software from unknown sources – unless they are visiting a site like APK Mirror or F-Droid, that vets APKs and ensures their integrity after they are uploaded. The safest way to avoid malware like this is to only download apps from the Play Store.

Follow HT Tech for the latest tech news and reviews, also keep up with us on Twitter, Facebook, and Instagram. For our latest videos, subscribe to our YouTube channel.