Phishing, Malware, Threat Management

TeaBot and FluBot banking trojans resurface, targeting Android devices

An attendee inspects the Nexus 5X phone during a Google media event on Sept. 29, 2015, in San Francisco. (Photo by Justin Sullivan/Getty Images)

Researchers on Wednesday reported that they found a resurgence of the TeaBot and FluBot banking trojans targeting Android devices, as well as an adaptation of the “Is it you in the video?” phishing campaign.

In a blog post, Bitdefender researchers said the TeaBot and FluBot trojans — which first emerged last year — pose as ad-blockers and send SMS messages from already-compromised devices to spread the malware. The banking trojans steal banking, contact, SMS and other types of private data from infected devices.

The researchers said the threats survive because they come in waves with different messages in different time zones. While the malware itself remains fairly static, the message used to carry it and the domains that host the dropper constantly change.

Since the beginning of December, Bitdefender Labs intercepted more than 100,000 malicious SMS messages trying to distribute FluBot malware. On the TeaBot front, the researchers found a dropper application in the Google Play Store named the “QR Code Reader - Scanner App,” with more than 100,000 downloads, that has distributed 17 different TeaBot variants for a little over a month.

The Bitdefender researchers highlighted the “Is this you in this video?” campaign because FluBot has adopted a similar message for its malware. In fact, Romania has been one of the main targets in the latest "Is this you in this video?" campaign distributed through Facebook Messenger. The Bitdefender researchers say they have intercepted more than 10,000 malicious URLs just in the past 30 days. While the recent campaign in Romania is likely not related to the original phishing campaign, the researchers said it’s interesting to see how one group uses the methods of another. The “Is this you in this video?” phishing campaign has been around for a few years.

It’s no surprise that the effective malware campaigns tied to TeaBot and FluBot continue development and advancement, targeting new victims and vulnerabilities, said Richard Melick, director of product strategy for endpoint security at Zimperium. Melick said just because the news stops covering the threat does not mean they go away, adding that it’s quite the opposite more times than not.

“Malicious actors treat malware like a product, with development and versioning, working hard to circumvent security technologies and gain more victims,” Melick said. “When one version gets disrupted, the malicious actors go back to developing the next version, especially when the outcomes have been effective. And the mobile endpoint is an incredibly lucrative target for attackers. Despite being packed full of personal and critical business information, connections and data, they often lack the advanced security controls necessary to stay ahead of attacks like TeaBot and FluBot.” 

Garret Grajek, CEO of YouAttest, said the fact that this attack has been so focused on SMS and other authentication procedures tells us that authentication alone will not become the panacea to the hacking problem. Grajek said whatever method we use for authentication: passwords, SMS, facial, biometric behaviors, SSO — the hackers will attempt to crack or mimic the authentication information passed to the authentication resource. 

“This is why key security concepts such as identity governance are required for a secure resource,” Grajek said. “Enterprises need to lock down the identities and quantify the activities of user and system accounts, and then both enforce strict access rules (principle of least privilege) and review the roles on a regular basis.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.