{
	"id": "bc841056-0973-40a7-937c-ef4027e892ac",
	"created_at": "2026-04-06T00:15:32.854619Z",
	"updated_at": "2026-04-10T13:12:41.073408Z",
	"deleted_at": null,
	"sha1_hash": "ee4736a8346210ac7ba9e1161d204b000c014f3d",
	"title": "Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 186377,
	"plain_text": "Widespread FluBot and TeaBot Malware Campaigns Targeting\r\nAndroid Devices\r\nBy The Hacker News\r\nPublished: 2022-01-27 · Archived: 2026-04-05 18:35:26 UTC\r\nResearchers from the Bitdefender Mobile Threats team said they have intercepted more than 100,000 malicious\r\nSMS messages attempting to distribute Flubot malware since the beginning of December.\r\n\"Findings indicate attackers are modifying their subject lines and using older yet proven scams to entice users to\r\nclick,\" the Romanian cybersecurity firm detailed in a report published Wednesday. \"Additionally, attackers are\r\nrapidly changing the countries they are targeting in this campaign.\"\r\nThe new wave of attacks is said to have been most active in Australia, Germany, Poland, Spain, Austria, and Italy,\r\namong others, with attacks spreading to newer countries like Romania, the Netherlands, and Thailand starting\r\nmid-January.\r\nFluBot (aka Cabassous) campaigns use smishing as the primary delivery method to target potential victims,\r\nwherein users receive an SMS message with the question \"Is this you in this video?\" and are tricked into clicking a\r\nlink that installs the malware.\r\nhttps://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html\r\nPage 1 of 3\n\n\"This new vector for banking trojans shows that attackers are looking to expand past the regular malicious SMS\r\nmessages,\" the researchers said.\r\nTeaBot masquerades as QR Code Scanner Apps\r\nIt's not just FluBot. Another Android trojan called TeaBot (aka Anatsa) has been observed lurking on the Google\r\nPlay Store in the form of an app named \"QR Code Reader - Scanner App,\" attracting no fewer than 100,000\r\ndownloads while delivering 17 different variants of the malware between December 6, 2021, and January 17,\r\n2022.\r\nIn a tactic that's becoming increasingly common, the app does offer the promised functionality, but it's also\r\ndesigned to retrieve a malicious APK file hosted on GitHub, but not before ascertaining that the country code of\r\nthe current registered operator doesn't start with a \"U.\"\r\nThe installation of the rogue app then involves presenting a fake UI notifying the user that an add-on update is\r\nrequired and that the setting to allow installs from unknown sources needs to be enabled in order to apply the\r\nupdate.\r\nBitDefender said it identified four more dropper apps — 2FA Authenticator, QR Scanner APK, QR Code Scan,\r\nand Smart Cleaner — that were available on the Play Store and distributed the TeaBot malware since at least April\r\n2021.\r\nAnother technique of interest adopted by the operators is versioning, which works by submitting a benign version\r\nof an app to the app store for purposes of evading the review process put in place by Google, only to replace the\r\ncodebase over time with additional malicious functionality through updates at a later date.\r\nBeyond circumventing the Play Store protections to reach a wider infection pool, the malware authors are believed\r\nto have paid to appear in Google Ads served within other legitimate applications and games, \"giving them screen\r\ntime in an app that could have millions of users.\"\r\nThe analysis also corroborates a previous report from Dutch cybersecurity firm ThreatFabric, which found six\r\nAnatsa droppers on the Play Store since June 2021. The apps were programmed to download an \"update\" followed\r\nby prompting users to grant them Accessibility Service privileges and permissions to install apps from unknown\r\nthird-party sources.\r\nIn a related development, researchers from Pradeo found that a two-factor authenticator app called \"2FA\r\nAuthenticator\" distributed through the Google Play store and downloaded more than 10,000 times was saddled\r\nwith a banking trojan named Vultr, which targets financial services to steal users' banking information.\r\nhttps://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html\r\nPage 2 of 3\n\n\"The application called 2FA Authenticator is a dropper leveraged to spread malware on its users' devices,\" the\r\nresearchers said. \"It has been developed to look legitimate and provide a real service. To do so, its developers used\r\nthe open-source code of the official Aegis authentication application to which they injected malicious code.\"\r\n\"Malicious actors treat malware like a product, with development and versioning, working hard to circumvent\r\nsecurity technologies and gain more victims,\" Richard Melick, director of product strategy for endpoint security at\r\nZimperium, said.\r\n\"When one version gets disrupted, the malicious actors go back to developing the next version, especially when\r\nthe outcomes have been effective. And the mobile endpoint is an incredibly lucrative target for attackers,\" Melick\r\nadded.\r\nFrom GriftHorse to Dark Herring\r\nThe development comes as Zimperium zLabs disclosed details of yet another premium service abuse campaign\r\nalong the lines of GriftHorse that leveraged as many as 470 innocuous-looking apps to subscribe users to paid\r\nservices costing $15 per month without their knowledge.\r\nThe billing fraud, also categorized as \"fleeceware,\" is said to have affected upwards of 105 million users across\r\nmore than 70 countries, with most victims located in Egypt, Finland, India, Pakistan, and Sweden.\r\nThe mammoth operation, which the mobile security company codenamed \"Dark Herring,\" has been backtraced to\r\nMarch 2020, making it one of the longest-running mobile SMS scams discovered to date.\r\nWhile the huge nest of trojan apps have since been purged from the Play Store, they are still available on third-party app stores, once again underscoring the potential dangers when it comes to sideloading applications onto\r\nmobile devices.\r\n\"In addition to over 470 Android applications, the distribution of the applications was extremely well-planned,\r\nspreading their apps across multiple, varied categories, widening the range of potential victims,\" Zimperium\r\nresearcher Aazim Yaswant said. \"The apps themselves also functioned as advertised, increasing the false sense of\r\nconfidence.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html\r\nhttps://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html"
	],
	"report_names": [
		"widespread-flubot-and-teabot-malware.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434532,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee4736a8346210ac7ba9e1161d204b000c014f3d.pdf",
		"text": "https://archive.orkl.eu/ee4736a8346210ac7ba9e1161d204b000c014f3d.txt",
		"img": "https://archive.orkl.eu/ee4736a8346210ac7ba9e1161d204b000c014f3d.jpg"
	}
}