{
	"id": "9d1cd6a3-84e4-4da4-825b-fd398db2e222",
	"created_at": "2026-04-06T00:12:23.142281Z",
	"updated_at": "2026-04-10T13:12:50.180408Z",
	"deleted_at": null,
	"sha1_hash": "ede162526ec5ca487017304453a49b7dfa235918",
	"title": "New FluBot and TeaBot Global Malware Campaigns Discovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3237000,
	"plain_text": "New FluBot and TeaBot Global Malware Campaigns Discovered\r\nBy Bitdefender\r\nArchived: 2026-04-05 12:37:35 UTC\r\nSome malware and phishing campaigns have short lives, tending to dissipate after they're identified by security\r\nsolutions. Others seem to survive year after year, with victims falling for the same tricks. Banking trojans such as\r\nTeaBot and FluBot and the \"Is it you in the video?\" scams are just two examples of threats that adapt to remain\r\nrelevant.\r\nThe impact of TeaBot and FluBot trojans became apparent last year globally. Threat actors used mockups of\r\npopular apps, applications posing as ad-blockers and sent SMS messages from already-compromised devices to\r\nspread the malware organically. The banking trojans' functionality are straightforward -  they steal banking,\r\ncontact, SMS and other types of private data from infected devices. They have an arsenal of other commands\r\navailable, including sending an SMS with content provided by the command and control (CnC). This allows its\r\noperators to change targeted banks and other features on the fly, depending on the countries affected.\r\nThese threats survive because they come in waves with different messages and in different time zones. While the\r\nmalware itself remains pretty static, the message used to carry it, the domains that host the droppers, and\r\neverything else is constantly changing.\r\nSince the beginning of December, Bitdefender Labs intercepted over 100,000 malicious SMS messages tying to\r\ndistribute FluBot malware by analyzing telemetry from the new Scam Alert feature, now available by default in\r\nBitdefender Mobile Security \u0026 Antivirus. Findings indicate attackers are modifying their subject lines and using\r\nolder yet proven scams to entice users to click. Additionally, attackers are rapidly changing the countries they are\r\ntargeting in this campaign.\r\nThe following is a detailed overview of the findings:\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 1 of 21\n\nFigure 1\r\nWith the help of Scam Alert, we've seen how this malicious SMS now informs users of potential problems with\r\nparcel delivery and tells users that Flash player needs an update, that they have a missed voice mail or that some\r\nAndroid component needs upgrading.\r\nFluBot distribution worldwide\r\nThe FluBot operators target different zones for short periods - sometimes just a few days. For example, in the\r\nmonth between Dec. 1 of last year and Jan. 2 of this year, the malware was highly active in Australia, Germany,\r\nSpain, Italy and a few other European countries.\r\nFigure 2\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 2 of 21\n\nStarting Jan. 3, 2022 the attackers began to look at other countries to spread their malware, including Poland,\r\nRomania and the Netherlands. In fact, Romania has been one of the main targets in the past few days.\r\nFigure 3\r\nThe worldwide distribution of the past couple of waves we've observed in the past couple of months shows\r\nAustralia as a primary target.\r\nFigure 4\r\n‘Is this you in this video?’ message adapted in FluBot campaign\r\nA simple phishing campaign is still making the rounds on social media, primarily through Facebook's Messenger.\r\nUsers receive a message from a friend in their list with a question (“Is this you in this video?“ or some variation)\r\nand a link. When the victim clicks on the link, it usually redirects them to a fake Facebook login that gives\r\nattackers direct access to credentials.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 3 of 21\n\nThe phishing campaign is already a couple of years old, and it's persistent. It shows up on Facebook in waves and\r\ndoesn't seem to disappear. We mention this campaign because FluBot operators have adopted a similar message\r\nfor their malware. In this situation, victims receive an SMS message along the lines of “Is this you in this video?.”\r\nThe goal is the same - to somehow mislead people into installing the software under some pretext, by telling them\r\nthat Flash or some Android component actually needs an upgrade after they've opened the link informing them\r\nthey could be in a video. This new vector for banking trojans shows that attackers are looking to expand past the\r\nregular malicious SMS messages.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 4 of 21\n\nBanker installation posing as Flash update\r\nIn fact, Romania has been one of the main targets in the latest \"Is this you in this video?\" campaign distributed\r\nthrough Messenger. We've intercepted over 10,000 malicious URLs just in the past 30 days. While the two\r\ncampaigns are likely not related, it’s interesting to see how one group uses the methods of another.\r\nFigure 5\r\nNew TeaBot campaign targeting official apps stores\r\nMost believe the official Google Play Store is completely safe to download and vetted for security purposes before\r\nthey become available to the public. That's true most of the time but not always.\r\nSometimes malicious apps are missed and stay active on official stores accruing thousands of downloads before\r\nthey are noticed and taken down. We found something strange during our investigation of the new FluBot\r\ncampaign. We initially believed Flubot was being installed on devices without a malicious SMS being sent but\r\ndiscovered that a different malicious banking bot was installed on the same device.\r\nWe determined it was a TeaBot variant, and further investigation led to the finding of a dropper application in\r\nGoogle Play Store named the 'QR Code Reader - Scanner App', with over 100,000 downloads, that has been\r\ndistributed 17 different TeaBot variants for a little over a month.\r\nBitdefender's security researchers have found that the 'QR Code Reader - Scanner App' found in the Google Play\r\nStore is likely a heavily encrypted TeaBot dropper. In just 30 days, it dropped 17 variants of the malware.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 5 of 21\n\nFigure 6\r\nThe application itself is not malicious, and it does offer the promised functionality, but that's a known tactic. The\r\nmalicious code within the app has a minimal footprint, as the authors were careful about not triggering security\r\nheuristics. The path followed after installation is relevant in itself.\r\nWhen the user starts the Android app, it also starts a background service that checks the country code of the\r\ncurrent registered operator (or the cell nearby). If the country starts with a \"U\" or is unavailable, the app skips\r\nexecuting the malicious code, which means that countries like Ukraine, Uzbekistan, Uruguay and the US are\r\nskipped.\r\nIf the app passes the check, it retrieves the context of a settings file from GitHub from the following address:\r\nraw.githubusercontent[.]com/isaacluten/qrbarcode/main/settings\r\nThis file contains a different GitHub repository file link pointing to the actual payload to download.\r\nFigure 7\r\nThis settings file, from the QR Code Reader repository, has the URL changed whenever a different payload URL\r\nis needed or even removed if the authors wish to deactivate the malicious behavior temporarily.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 6 of 21\n\nIf there is a URL in the settings file, the APK is downloaded and saved to\r\n'/sdcard/Android/data/com.lorankey.qrcode/files/Download/addonqrapp.apk', and the installation is initiated.\r\nThe app itself presents a fake UI saying that an update is required, and users are instructed to allow the Android\r\napp to install third-party packages.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 7 of 21\n\nFigure 8\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 8 of 21\n\nCombining our telemetry with GitHub's repositories history, we identified a minimum of 17 different versions of\r\nTeaBot that were deployed to victims from Dec. 6 of last year to Jan. 17 of this year.\r\nGitHub accounts\r\nThe malware has a hardcoded GitHub URL to get the next payload (another GitHub URL). Looking at GitHub's\r\nhistory and our own analysis, we have the following accounts associated with this threat:\r\nGitHub user Timeline Purpose\r\ngithub.com/isaacluten Created 2021.12.06\r\nConfiguration files storage; indicates the payload\r\nlocation\r\ngithub.com/lotterevich\r\nFirst seen\r\n2021.12.06\r\nLast seen\r\n2021.12.17\r\nHeld payloads, but was deleted\r\ngithub.com/rosamundstone393 Created 2021.12.07 FluBot payloads are currently uploaded here\r\nBetween the accounts, all payloads' configurations seen were as follows:\r\nContent of raw.githubusercontent.com/isaacluten/qrbarcode/main/settings\r\n1.0.0\u003c\u003chttps://github.com/rosamundstone393/maina/blob/main/today.apk?raw=true\r\n1.0.0\u003c\u003chttps://github.com/lotterevich/lott/blob/main/today.apk?raw=true\r\n1.0.0\u003c\u003chttps://github.com/lotterevich/lott/blob/main/fullymain.apk?raw=true\r\n1.0.2\r\n1.0.1\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 9 of 21\n\n1.0.0\u003c\u003chttps://github.com/lotterevich/lott/raw/main/maina.apk\r\n1.0.0\r\n1.0.0\u003c\u003chttps://github.com/lotterevich/lott/raw/main/Flashlight.apk\r\nCurrently, all payloads are uploaded as\r\n\"1.0.0\u003c\u003chxxps://github.com/rosamundstone393/maina/blob/main/today.apk?raw=true\"\r\nThere is one repository for payload configuration for the QR Code Reader app, and another repository was created\r\nfor an app named 2FA Authenticator, also a dropper, that was just released.\r\nFigure 9\r\nTelemetry\r\nThe QR Code Reader application is available for download globally but, oddly, our telemetry shows the vast\r\nmajority of scans on the dropped payloads come from Great Britain. We presume that the authors of the malware\r\nhave made specific ad campaigns targeting that area.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 10 of 21\n\nFigure 10\r\nBitdefender’s security researchers also found one of the ways this app manages to spread through the userbase.\r\nVictims likely see an ad for this malicious app in other legitimate Android applications and install it through that\r\nvector. The attackers pay to appear in Google Ads, giving them screen time in an app that could have millions of\r\nusers.\r\nThe 2FA Authenticator we found is a similar malicious dropper currently available on the Play Store. Fortunately,\r\nthis version of the malware dropper had no chance to infect as many victims because we caught it as soon as it\r\nwas released.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 11 of 21\n\nFigure 11\r\nAll countries that are excluded by the malware by ISO codes:\r\n'UG' 'UGANDA'\r\n'UA' 'UKRAINE'\r\n'US' 'UNITED STATES'\r\n'UM/UMI' 'UNITED STATES MINOR OUTLYING ISLANDS'\r\n'UY' 'URUGUAY'\r\n'UZ' 'UZBEKISTAN'\r\nGoogle Play Store maybe not as safe as you  think\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 12 of 21\n\nSearching for similar dropper behavior, we found other applications that used to be available on Google Play and\r\ndistributed TeaBot. As far as we can tell, they've been silently removed without anyone noticing they were ever\r\nlive.\r\nApp name App package name Developer\r\nLast known\r\ndownload count\r\nLast seen on\r\nPlay\r\nQR Scanner\r\nAPK\r\ncom.paccinisantino861.qrscanner santino paccini 10,000+ 2022.01.07\r\nQR Code\r\nScan\r\ncom.scannet.qrbar\r\nBailey\r\nLeightonware\r\n10,000+ 2021.04.21\r\nSmart\r\nCleaner\r\ncom.butkusnedas.smart.cleaner Butkusnedas 1,000+ 2021.12.17\r\nOne relevant feature for this malware is the complete lack of malicious code in the initial versions. Attackers\r\ninitially submit clean apps and introduce the malicious component in subsequent updates. The three apps\r\nmentioned above provide the perfect example of this behavior.\r\nApp name Version code Version name APK MD5\r\nQR Scanner APK 4 2.4\r\nbea21055cda8c81b4e5a46c1fac2b570\r\n0f621dbe75d1d223353e9a74209c43cb\r\nQR Code Scan 4 1.03 125a0b5013e3ef4b6a4af2d184b68a0b\r\nSmart Cleaner\r\n2 2.0 77dd1738f3109a15a9b38db2845bbb54\r\n3 3.0\r\n1c486fe75688a2fd67b26c22d0f85adc\r\ndf7770114becbbee2f06be8947039c31\r\nRough weather we're having\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 13 of 21\n\nThe Weather Cast application by Weather Live is an active app on Google Play that also drops banking malware.\r\nDetermining the exact nature of the malware is challenging because threat groups copy much of the code from one\r\nmalware to another, following up with heavy encryption to obfuscate the code. In the end, this only makes it more\r\ndifficult to pinpoint the exact version. It doesn’t affect the ability of Bitdefender's Mobile Security \u0026 Antivirus to\r\nstop the malicious behavior.\r\nFigure 12\r\nThis malicious dropper retrieves the malware from its firebase (weather-live-a2756.firebaseio.com) database:\r\nFigure 13\r\nThe firebase currently indicates that this banking malware has been dropped on 274 victims, but the actual number\r\ncould be a lot bigger, given that the app is not new. It's also likely that 10,000 downloads indicated on Google Play\r\nare not all real user downloads.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 14 of 21\n\nThe malicious payload is saved as SampleDownloadApp.apk on the file system and triggers the regular to install.\r\nCurrently, although the firebase returns the download URL is currently down (polarnauc.com/rm71.apk), our\r\ntelemetry indicates that victims downloaded the malicious banker trojan app.\r\nWeather Cast dropper application\r\n05a041e47e305a4b2327f0e46d9d385f\r\n7392e69e36ceb88425c1d8a421976a0d\r\n773f698e035cfe0a9b642428a028405f\r\nd600c4a4466da09e239c855e19addd5a\r\n575c0d28e7bf5198ffe7bf5950e119f4\r\ne652412ac7de94fdfcb7c2a6e4a0fcc0\r\nAnother weather application we found is named Weather Daily from WeatherDaily, and it's still on Google Play,\r\nwith the same malicious download capability.\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 15 of 21\n\nFigure 14\r\nThis application has the same firebase URL used in our first, thus it is also inactive at this point.\r\nWeather Daily dropper application\r\n906166b5f0478083002fa2766f7f1cce\r\nbbefb28d7bdf997ac4d5ad747f62a0b3\r\n9eb12035c0539b768e25581c9a425ff6\r\n12dc7c3768430ade2ff4d2533bad5fb5\r\n01b347ab6b147c02b20cef61bc50089b\r\n568fbec1a9696da35af3c7dc277d6397\r\n8cb1700b8bc2b92ef767bc04f4f02189\r\n5a5ecf6b28bcae06b590df3a622c4401\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 16 of 21\n\n7da32784fa162e59b216d7ea21476520\r\ncdba81c1e0e9be347dd3072b2bcfb335\r\n8dff2bd7449f510bed9c0949432dda9f\r\n424c34c7d4ab5b9a808d2df211551336\r\n48e3c1b0bf0c8efcf78e26605c74fa3c\r\n7fe5ffbd394e5a92b649fa44a6cca1d3\r\n3625dcca6b829d888235e001eff9f069\r\nIndicators of compromise (IOC)\r\nWe already notified Google and GitHub regarding all of this malicious activity and GitHub took down the\r\naccounts.\r\nDropper MD5 Dropper package name\r\n6be155472cedc94d834a220b6217c029 com.lorankey.qrcode\r\n125a0b5013e3ef4b6a4af2d184b68a0b com.scannet.qrbar\r\n57f6576705e7e8b11fbd3480b7602f25 com.qrcodeapp.qrcodeapp\r\n77dd1738f3109a15a9b38db2845bbb54 com.butkusnedas.smart.cleaner\r\n1c486fe75688a2fd67b26c22d0f85adc com.butkusnedas.smart.cleaner\r\ndf7770114becbbee2f06be8947039c31 com.butkusnedas.smart.cleaner\r\nbea21055cda8c81b4e5a46c1fac2b570 com.paccinisantino861.qrscanner\r\n0f621dbe75d1d223353e9a74209c43cb com.paccinisantino861.qrscanner\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 17 of 21\n\n05a041e47e305a4b2327f0e46d9d385f com.weatherlive.android\r\n7392e69e36ceb88425c1d8a421976a0d com.weatherlive.android\r\n773f698e035cfe0a9b642428a028405f com.weatherlive.android\r\nd600c4a4466da09e239c855e19addd5a com.weatherlive.android\r\n575c0d28e7bf5198ffe7bf5950e119f4 com.weatherlive.android\r\ne652412ac7de94fdfcb7c2a6e4a0fcc0 com.weatherlive.android\r\n906166b5f0478083002fa2766f7f1cce\r\nbbefb28d7bdf997ac4d5ad747f62a0b3\r\n9eb12035c0539b768e25581c9a425ff6\r\n12dc7c3768430ade2ff4d2533bad5fb5\r\n01b347ab6b147c02b20cef61bc50089b\r\n568fbec1a9696da35af3c7dc277d6397\r\n8cb1700b8bc2b92ef767bc04f4f02189\r\n5a5ecf6b28bcae06b590df3a622c4401\r\n7da32784fa162e59b216d7ea21476520\r\ncdba81c1e0e9be347dd3072b2bcfb335\r\n8dff2bd7449f510bed9c0949432dda9f\r\n424c34c7d4ab5b9a808d2df211551336\r\n48e3c1b0bf0c8efcf78e26605c74fa3c\r\n7fe5ffbd394e5a92b649fa44a6cca1d3\r\n3625dcca6b829d888235e001eff9f069\r\ncom.app.weatherclient\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 18 of 21\n\n3b24fc4b75c3a2a3016a1aadab12f4b7 org.otpauthverified.android.andotp\r\nTeaBot payload MD5\r\n11d60ea8b765805fd21ccaa394c0f1c5\r\n199a05563aac440df1ece5900dc8728b\r\n243063fdfc605e52e415286d441c64cd\r\n27c7610b496812ab44734d02ab84298e\r\n3acd1e3fc3a9748fee13550cfe86491f\r\n3ed22780949ae9c756186451b12e49c9\r\n63889a8f68d33314435be05e519b2121\r\n761d47788376087a8d9ebd79966d17ce\r\n8e9a27c2b2c78282536e747adbc32ff1\r\n933e4941511c990c05c1a2f536eb73f2\r\nc4648f55a3325853f435ce04b226eca5\r\nd35101685436f5599d314e2843647424\r\ndb3ba9bd23563c720d793e397fc4db80\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 19 of 21\n\ne5a3d989403bdc03132c1f5092a8d3fa\r\nf25da3ec09dbc26c30fd0734500f607b\r\nff6184928f9704b482d4b7e157bf479c\r\nffe5cb26952d97864dc643091450bd16\r\n23e49cc28a5feeed4b9e362aa43e158a\r\n770b95a7894b32b139a9bf93bfaf7d26\r\nad96f5c40a8bdff8c682ecb7982aa19d\r\n0333d85a2c9e36ea7a84aad42b69e969\r\n0801afc7101311e76e1b38484e19cec6\r\n3cf74827168efbcd58633b929b4f6e94\r\n5e81fc20f164ca96f3b57338493c4fcf\r\nWeather app dropped malware\r\ncbd060ded5a83b5f874901e8c60bfb3d\r\n2776882a50b86a5829b7063fdcbe256f\r\n6ad5b3b9275df2cbf1671af2f7ae25e2\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 20 of 21\n\n0585c9238714c5c44614e1594e73287e\r\nd3a1b6a21d4601cc6cd6a675790eda4b\r\nWeather app payload URL\r\npolarnauc.com/rm71.apk\r\nAssociated GitHub accounts:\r\nGitHub user\r\ngithub.com/isaacluten\r\ngithub.com/lotterevich\r\ngithub.com/rosamundstone393\r\nThis article is available courtesy to the Bitdefender Mobile Threats team.\r\nSource: https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nhttps://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered"
	],
	"report_names": [
		"new-flubot-and-teabot-global-malware-campaigns-discovered"
	],
	"threat_actors": [],
	"ts_created_at": 1775434343,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ede162526ec5ca487017304453a49b7dfa235918.pdf",
		"text": "https://archive.orkl.eu/ede162526ec5ca487017304453a49b7dfa235918.txt",
		"img": "https://archive.orkl.eu/ede162526ec5ca487017304453a49b7dfa235918.jpg"
	}
}