According to BitDefender security researchers, two highly dangerous malware are still circulating for years after their first appearance. FluBot and TeaBot malware are actively spreading through hundreds of thousands of text messages and applications approved by the Google Play Store.
Typically, malware and scams have a fairly limited lifespan. Once security researchers have identified hackers and found possible solutions, they have no choice but to resort to other methods. Despite this, some malware signs and continuescontinue to claim victims years after they were first released.
This is especially true for FluBot and TeaBot malware. The first spreads through hundreds of thousands of fake text messages urging the user to install a fake Android update. This is not the only bait used, these text messages are also used as an excuse to deliver packages, the need to update Flash Player, or missed voice messages. Since the beginning of December 2021, BitDefender security researchers have intercepted more than 100,000 malicious text messages to distribute FluBot in many countries.
Also read: Facebook: watch out “are you in this video?” scam
Android malware FluBot and TeaBot continue to rave
As for Teabot, this malware has already been talked about in May 2021. It specifically spies on text messages to prevent duplicate authentication and obtain codes log in to banking services. BitDefender experts found a variant of malware a QR code reader app available from Play Store and called “QR Code Reader”. After further investigation, the researchers found that this application, with more than 100,000 downloads, has distributed at least 17 variations of TeaBot for over a month.
The application itself is not harmful and provides the expected functionality. The footprint of the malicious code contained in the application is minimal, which prevents the Play Store security systems from being detected. When the user starts it, it will also start a background service that checks the country code of the victim operator. If the country is on the pirated list, the application will retrieve the context from the GitHub configuration file at the following address:
“raw.githubusercontent[.]com / isaagluten / qrbarcode / main / settings ”
According to BitDefender, this file contains a different link than the GitHub archive file that indicates the actual download payload. The BitDefender report also concludes with an analysis of the geographical distribution of threats. Targeting mainly Australia, Germany and Poland, it appears that Romania (72%), Poland (9.3%) and the Netherlands (8.9%).