Researchers from the Bitdefender Mobile Threats team said they have intercepted more than 100,000 malicious SMS messages attempting to distribute Flubot malware since the beginning of December.
“Findings indicate attackers are modifying their subject lines and using older yet proven scams to entice users to click,” the Romanian cybersecurity firm detailed in a report published Wednesday. “Additionally, attackers are rapidly changing the countries they are targeting in this campaign. “
The new wave of attacks was most intense in Australia, Germany and Spain. Attacks spread to other countries, such as Thailand, Romania and the Netherlands.
FluBot (aka Cabassous) campaigns use smishing as the primary delivery method to target potential victims, wherein users receive an SMS message with the question “Is this you in this video?” and are tricked into clicking a link that installs the malware.
” This new vector to banking trojans indicates that attackers want to go beyond the usual malicious SMS messages,” researchers stated.
TeaBot masquerades as QR Code Scanner Apps
It’s not only FluBot. Another Android trojan called TeaBot (aka Anatsa) has been observed lurking on the Google Play Store in the form of an app named “QR Code Reader – Scanner App,” attracting no fewer than 100,000 downloads while delivering 17 different variants of the malware between December 6, 2021, and January 17, 2022.
In a tactic that’s becoming increasingly common, the app does offer the promised functionality, but it’s also designed to retrieve a malicious APK file hosted on GitHub, but not before ascertaining that the country code of the current registered operator doesn’t start with a “U. “
The installation of the rogue app then involves presenting a fake UI notifying the user that an add-on update is required and that the setting to allow installs from unknown sources needs to be enabled in order to apply the update.
BitDefender said it identified four more dropper apps — 2FA Authenticator, QR Scanner APK, QR Code Scan, and Smart Cleaner — that were available on the Play Store and distributed the TeaBot malware since at least April 2021.
Another technique of interest adopted by the operators is versioning, which works by submitting a benign version of an app to the app store for purposes of evading the review process put in place by Google, only to replace the codebase over time with additional malicious functionality through updates at a later date.
Aside from bypassing Play Store security to allow for a larger infection pool, operators may have been paid to be shown in Google Ads within legitimate apps and games to “give them screen time” in apps that might have millions of users. “
The analysis also corroborates a previous report from Dutch cybersecurity firm ThreatFabric, which found six Anatsa droppers on the Play Store since June 2021. These apps downloaded an update and then asked users for permission to use apps from untrusted third-party sites.
“Malicious actors treat malware like a product, with development and versioning, working hard to circumvent security technologies and gain more victims,” Richard Melick, director of product strategy for endpoint security at Zimperium, said.
” When one version is broken, malicious actors return to the development of the next, particularly if the results have been successful. Melick said that the mobile endpoint was an extremely lucrative target for attackers.
From GriftHorse to Dark Herring
The development comes as Zimperium zLabs disclosed details of yet another premium service abuse campaign along the lines of GriftHorse that leveraged as many as 470 benign-looking apps to subscribe users to paid services costing $15 per month without their knowledge.
The billing fraud, also categorized as “fleeceware,” is said to have affected upwards of 105 million users across more than 70 countries, with most victims located in Egypt, Finland, India, Pakistan, and Sweden.
The mammoth operation, which the mobile security company codenamed “Dark Herring,” has been backtraced to March 2020, making it one of the longest-running mobile SMS scams discovered to date.
While the huge nest of trojan apps have since been purged from the Play Store, they are still available on third-party app stores, once again underscoring the potential dangers when it comes to sideloading applications onto mobile devices.
“In addition to over 470 Android applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims,” Zimperium researcher Aazim Yaswant said. The apps worked as they were advertised and gave people a false sense of security. “