Bitdefender предупреждает, что злоумышленники распространяют вредоносное ПО под видом популярных Android-приложений
Bitdefender предупреждает, что злоумышленники распространяют вредоносное ПО под видом популярных Android-приложений
Bitdefender предупреждает, что злоумышленники распространяют вредоносное ПО под видом популярных Android-приложений от известных компаний. Поддельный плеер VLC, антивирус Касперского, а также поддельные приложения FedEx и DHL устанавливают на устройствах жертв банковские трояны Teabot или Flubot, впервые обнаруженные ранее в этом году.
Teabot способен перехватывать проверочные коды для авторизации в учетных записях Google, записывать нажатия клавиш на клавиатуры, отображать поддельные экраны поверх настоящих и в некоторых случаях захватывать полный контроль над устройством. Троян Flubot несколько проще, но его функционала вполне достаточно для похищения банковских данных жертв, текстовых сообщений и других персональных данных. Вредонос также имеет свойства червя – способен распространяться автоматически через SMS-рассылку.
Обнаруженные исследователями поддельные приложения не представлены в Google Play Store и распространяются только через сторонние магазины.
«Распространение вредоносного ПО для Android-устройств – дело нелегкое, поскольку официальный магазин обычно предотвращает попадания таких приложений на устройства пользователей. Тем не менее, один из наибольших плюсов Android, возможность загрузки приложений из неофициальных источников, также является его минусом. С помощью различных трюков преступники могут вынудить пользователей установить приложения из неофициального магазина», – пояснили исследователи.
На момент написания заметки данная вредоносная кампания все еще продолжалась.
Spreading malware on Android devices is not easy, as the official store can usually (not always) prevent these types of apps from reaching users. But one of Android’s greatest strengths, the ability to sideload apps from non-official sources, is also a weakness.
Using a combination of tricks to persuade users to install apps outside of the official store, criminals spread most of their malware through sideloading. If mobile devices have no security solution installed, malicious apps roam free.
The TeaBot and Flubot are the newest banker trojan families, as multiple security researchers identified them in the early months of 2021. Bitdefender researchers have discovered a batch of new malicious Android applications that impersonate real ones from popular brands but with a malware twist.
TeaBot (also known as ‘Anatsa’) and its working mechanisms are known. According to an early analysis report, the malware can carry out overlay attacks via Android Accessibility Services, intercept messages, perform various keylogging activities, steal Google Authentication codes, and even take full remote control of Android devices.
Criminals welcome the opportunity to spread malware directly from app stores, but that isn’t easy. Instead, they go for the next available method – imitating top-rated apps in the hopes of tricking at least some users into downloading and installing their malicious versions.
Bitdefender researchers have identified five new malicious Android applications that pack the Teabot banking trojan and impersonate real ones. Two of the apps are mentioned as banking malware on Twitter, and we made the connection to the Anatsa malware.
We put together a list of all banks targeted by the Teabot, but there’s a caveat: Its operators can adapt it any given time, add more banks or remove support for some. The list is valid right now, but it’s likely to change in the future.
| App name | App package name |
| Bankia Wallet | com.bankia.wallet |
| BankinterMóvil | com.bankinter.launcher |
| BBVA Spain | Online banking | com.bbva.bbvacontigo |
| BBVA Net Cash | ES & PT | com.bbva.netcash |
| Kutxabank | com.kutxabank.android |
| Santander | es.bancosantander.apps |
| Bankia | es.cm.android |
| CaixaBankNow | es.lacaixa.mobile.android.newwapicon |
| Banca Digital Liberbank | es.liberbank.cajasturapp |
| Openbank – bancamóvil | es.openbank.mobile |
| UnicajaMovil | es.univia.unicajamovil |
| BBVA México (BancomerMóvil) | com.bancomer.mbanking |
| Banco Sabadell App. Your mobile bank | net.inverline.bancosabadell.officelocator.android |
| Commerzbank Banking – The app at your side | de.commerzbanking.mobil |
| comdirect mobile App | de.comdirect.android |
| SparkasseIhre mobile Filiale | com.starfinanz.smob.android.sfinanzstatus |
| Deutsche Bank Mobile | com.db.pwcc.dbmobile |
| Banco Sabadell App. Your mobile bank | net.inverline.bancosabadell.officelocator.android |
| VR Banking Classic | de.fiducia.smartphone.android.banking.vr |
| Cajasur | com.cajasur.android |
| GrupoCajamar | com.grupocajamar.wefferent |
| BW-Mobilbankingmit Smartphone und Tablet | com.starfinanz.smob.android.bwmobilbanking |
| Ibercaja | es.ibercaja.ibercajaapp |
| ING España. Banca Móvil | www.ingdirect.nativeframe |
From Bitdefender’s telemetry, we were able to identify two new infection vectors, namely the applications with package names’ com.intensive.sound’ and ‘com.anaconda.brave’, which downloads Teabot. These are malware dropper applications known for imitating legitimate applications (such as Ad Blocker in our case).
Flubot uses that command to spread, through its SMS spamming and worm-like behavior. In our analysis, we have observed over 100 different domains used in the campaign to host the fake APK files. These domains belong to hacked/hijacked sites, where the threat actors injected their malware to spread further. In many cases, these are legitimate websites and domains that criminals have successfully attacked through existing vulnerabilities, allowing them to inject download links for malware.
Some examples of sent SMS:
| Target victims | Samples of SMS sent to victims |
| Spanish speaking | Hola, Tiene (1) Paquete de Media Markt! Ref: UPS-20147 Ultima oportunidad para recogerlo>> http://wxz14[.]com/p/?o5l08o8nmt |
| Spanish speaking | No hemospodidoentregarsupaquete. Siga el enlace para programarunanuevafecha de entrega: http://dukessailsoptin[.]com/info/?l7m4lnkvgp |
| Spanish speaking | FedEx: Tuenvioestaporllegar, rastrealoaqui: https://nsoft[.]fr/fedex/?apc9senmy3 |
| Polish speaking | Dostawanowejprzesylki: http://thejoblessemperor[.]in/pkg/?6bh4l5qy |
By looking at hundreds of SMS, we noticed that attackers use templates that only modify the recipient’s name and download link . The malware steals real contact names and phone numbers from the victim’s phone and sends them to servers hosted by the threat actors. The server composes the SMS message, using that real information and sends it back to the malware on infected phones. Flubot then sends SMS messages directly from the victim’s device.
An observed example of such a template:
| Hola<CONTACT_NAME>, confirmesuscredenciales para la entrega de hoy, de lo contrario, supaquete sera devuelto al remitente: <MALWARE_DOWNLOAD_LINK> |
Example of Flubot SMS messages:
| HolaRuben, confirmesuscredenciales para la entrega de hoy, de lo contrario, supaquete sera devuelto al remitente: https://defencelover[.]in/out/?iaw1g6md2w |
| HolaMarci, confirmesuscredenciales para la entrega de hoy, de lo contrario, supaquete sera devuelto al remitente: http://www.zyzlk[.]com/pack/?qq3s32hc4q |
| HolaRamiro, confirmesuscredenciales para la entrega de hoy, de lo contrario, supaquete sera devuelto al remitente: http://patchbuy[.]com/url/?rfzw0d1p8o |
Like in the case of Teabot, the FluBot operators go after banks and their apps, but the list of targeted apps can change at any time, as commanded by the attackers.
