New FluBot and TeaBot Global Malware Campaigns Discovered

Some malware and phishing campaigns have short lives, tending to dissipate after they're identified by security solutions. Others seem to survive year after year, with victims falling for the same tricks. Banking trojans such as TeaBot and FluBot and the "Is it you in the video?" scams are just two examples of threats that adapt to remain relevant.

The impact of TeaBot and FluBot trojans became apparent last year globally. Threat actors used mockups of popular apps, applications posing as ad-blockers and sent SMS messages from already-compromised devices to spread the malware organically. The banking trojans' functionality are straightforward -  they steal banking, contact, SMS and other types of private data from infected devices. They have an arsenal of other commands available, including sending an SMS with content provided by the command and control (CnC). This allows its operators to change targeted banks and other features on the fly, depending on the countries affected.

These threats survive because they come in waves with different messages and in different time zones. While the malware itself remains pretty static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing.

Since the beginning of December, Bitdefender Labs intercepted over 100,000 malicious SMS messages tying to distribute FluBot malware by analyzing telemetry from the new Scam Alert feature, now available by default in Bitdefender Mobile Security & Antivirus. Findings indicate attackers are modifying their subject lines and using older yet proven scams to entice users to click. Additionally, attackers are rapidly changing the countries they are targeting in this campaign.

The following is a detailed overview of the findings:

With the help of Scam Alert, we've seen how this malicious SMS now informs users of potential problems with parcel delivery and tells users that Flash player needs an update, that they have a missed voice mail or that some Android component needs upgrading.

FluBot distribution worldwide

The FluBot operators target different zones for short periods - sometimes just a few days. For example, in the month between Dec. 1 of last year and Jan. 2 of this year, the malware was highly active in Australia, Germany, Spain, Italy and a few other European countries.

Starting Jan. 3, 2022 the attackers began to look at other countries to spread their malware, including Poland, Romania and the Netherlands. In fact, Romania has been one of the main targets in the past few days.

The worldwide distribution of the past couple of waves we've observed in the past couple of months shows Australia as a primary target.

‘Is this you in this video?’ message adapted in FluBot campaign

A simple phishing campaign is still making the rounds on social media, primarily through Facebook's Messenger. Users receive a message from a friend in their list with a question (“Is this you in this video?“ or some variation) and a link. When the victim clicks on the link, it usually redirects them to a fake Facebook login that gives attackers direct access to credentials.

The phishing campaign is already a couple of years old, and it's persistent. It shows up on Facebook in waves and doesn't seem to disappear. We mention this campaign because FluBot operators have adopted a similar message for their malware. In this situation, victims receive an SMS message along the lines of “Is this you in this video?.”

The goal is the same - to somehow mislead people into installing the software under some pretext, by telling them that Flash or some Android component actually needs an upgrade after they've opened the link informing them they could be in a video. This new vector for banking trojans shows that attackers are looking to expand past the regular malicious SMS messages.

In fact, Romania has been one of the main targets in the latest "Is this you in this video?" campaign distributed through Messenger. We've intercepted over 10,000 malicious URLs just in the past 30 days. While the two campaigns are likely not related, it’s interesting to see how one group uses the methods of another.

New TeaBot campaign targeting official apps stores

Most believe the official Google Play Store is completely safe to download and vetted for security purposes before they become available to the public. That's true most of the time but not always.

Sometimes malicious apps are missed and stay active on official stores accruing thousands of downloads before they are noticed and taken down. We found something strange during our investigation of the new FluBot campaign. We initially believed Flubot was being installed on devices without a malicious SMS being sent but discovered that a different malicious banking bot was installed on the same device.

We determined it was a TeaBot variant, and further investigation led to the finding of a dropper application in Google Play Store named the 'QR Code Reader - Scanner App', with over 100,000 downloads, that has been distributed 17 different TeaBot variants for a little over a month.

Bitdefender's security researchers have found that the 'QR Code Reader - Scanner App' found in the Google Play Store is likely a heavily encrypted TeaBot dropper. In just 30 days, it dropped 17 variants of the malware.

The application itself is not malicious, and it does offer the promised functionality, but that's a known tactic. The malicious code within the app has a minimal footprint, as the authors were careful about not triggering security heuristics. The path followed after installation is relevant in itself.

When the user starts the Android app, it also starts a background service that checks the country code of the current registered operator (or the cell nearby). If the country starts with a "U" or is unavailable, the app skips executing the malicious code, which means that countries like Ukraine, Uzbekistan, Uruguay and the US are skipped.

If the app passes the check, it retrieves the context of a settings file from GitHub from the following address:

raw.githubusercontent[.]com/isaacluten/qrbarcode/main/settings

This file contains a different GitHub repository file link pointing to the actual payload to download.

This settings file, from the QR Code Reader repository, has the URL changed whenever a different payload URL is needed or even removed if the authors wish to deactivate the malicious behavior temporarily.

If there is a URL in the settings file, the APK is downloaded and saved to '/sdcard/Android/data/com.lorankey.qrcode/files/Download/addonqrapp.apk', and the installation is initiated.

The app itself presents a fake UI saying that an update is required, and users are instructed to allow the Android app to install third-party packages.

Combining our telemetry with GitHub's repositories history, we identified a minimum of 17 different versions of TeaBot that were deployed to victims from Dec. 6 of last year to Jan. 17 of this year.

GitHub accounts

The malware has a hardcoded GitHub URL to get the next payload (another GitHub URL). Looking at GitHub's history and our own analysis, we have the following accounts associated with this threat:

Between the accounts, all payloads' configurations seen were as follows:

Currently, all payloads are uploaded as "1.0.0<<hxxps://github.com/rosamundstone393/maina/blob/main/today.apk?raw=true"

There is one repository for payload configuration for the QR Code Reader app, and another repository was created for an app named 2FA Authenticator, also a dropper, that was just released.

Telemetry

The QR Code Reader application is available for download globally but, oddly, our telemetry shows the vast majority of scans on the dropped payloads come from Great Britain. We presume that the authors of the malware have made specific ad campaigns targeting that area.

Bitdefender’s security researchers also found one of the ways this app manages to spread through the userbase. Victims likely see an ad for this malicious app in other legitimate Android applications and install it through that vector. The attackers pay to appear in Google Ads, giving them screen time in an app that could have millions of users.

The 2FA Authenticator we found is a similar malicious dropper currently available on the Play Store. Fortunately, this version of the malware dropper had no chance to infect as many victims because we caught it as soon as it was released.

All countries that are excluded by the malware by ISO codes:

Google Play Store maybe not as safe as you  think

Searching for similar dropper behavior, we found other applications that used to be available on Google Play and distributed TeaBot. As far as we can tell, they've been silently removed without anyone noticing they were ever live.

One relevant feature for this malware is the complete lack of malicious code in the initial versions. Attackers initially submit clean apps and introduce the malicious component in subsequent updates. The three apps mentioned above provide the perfect example of this behavior.

Rough weather we're having

The Weather Cast application by Weather Live is an active app on Google Play that also drops banking malware. Determining the exact nature of the malware is challenging because threat groups copy much of the code from one malware to another, following up with heavy encryption to obfuscate the code. In the end, this only makes it more difficult to pinpoint the exact version. It doesn’t affect the ability of Bitdefender's Mobile Security & Antivirus to stop the malicious behavior.

This malicious dropper retrieves the malware from its firebase (weather-live-a2756.firebaseio.com) database:

The firebase currently indicates that this banking malware has been dropped on 274 victims, but the actual number could be a lot bigger, given that the app is not new. It's also likely that 10,000 downloads indicated on Google Play are not all real user downloads.

The malicious payload is saved as SampleDownloadApp.apk on the file system and triggers the regular to install.

Currently, although the firebase returns the download URL is currently down (polarnauc.com/rm71.apk), our telemetry indicates that victims downloaded the malicious banker trojan app.

Another weather application we found is named Weather Daily from WeatherDaily, and it's still on Google Play, with the same malicious download capability.

This application has the same firebase URL used in our first, thus it is also inactive at this point.

Indicators of compromise (IOC)

We already notified Google and GitHub regarding all of this malicious activity and GitHub took down the accounts.

Associated GitHub accounts:

This article is available courtesy to the Bitdefender Mobile Threats team.