This Android trojan malware is using fake apps to infect smartphones, steal bank details

TeaBot malware tells victims they need to click a link because the phone is damaged with a virus - and infects them via the link.

By Danny Palmer

Cyber criminals are now using fake versions of popular Android applications to infect victims with trojan malware – and these are only installed after the user downloads a fake ad blocker.

TeaBot – also known as Anatsa – is able to take full remote control of Android devices, allowing cyber criminals to steal bank details and other sensitive information with the aid of keylogging and stealing authentication codes.

The malware first emerged in December last year and the campaign remains active. The authors of TeaBot attempt to trick victims into downloading the malware by disguising it as fake versions of popular apps, the real versions of which have often been downloaded millions of times.

Smartphone and Tablet Backup Solution

As detailed by cybersecurity researchers at Bitdefender, these include phoney versions of Android apps including antivirus apps, the VLC open-source media player, audiobook players and more. The malicious versions of the apps use slightly different names and logos to the real ones.

The malicious apps aren't being distributed by the official Google Play Store, but are hosted on third-party websites – although many of the ways people are directed to them still remains a mystery to researchers.

One of the ways the victims are driven towards the malicious apps is via a fake ad blocker app that acts as a dropper – although it's unknown how victims are directed towards the ad blocker in the first place.

However, these hidden apps will repeatedly show phoney adverts – ironically, often claiming that the smartphone has been damaged by a malicious app – that encourage the user to click a link for the solution. It's clicking this link that downloads TeaBot onto the device.

The method of infection might appear convoluted, but dividing it over a number of steps makes it less likely that the malware will be detected.