Mockups of Popular Android Apps Infect Phones With Malware

According to a Bitdefender report from June 1, hackers are using malicious Android app lookalikes to spread dangerous malware. These malware apps usually mimic real apps that have over 50 million downloads to trick their users.

DHL, VLC media player, and Kaspersky antivirus are popular choices. Cybercriminals use Android’s sideload option to install apps from unofficial sources, tricking many less tech-savvy users easily. They employ various social engineering tricks to get users to install malware-ridden apps from suspicious sources instead of using Google’s official store. Upon installing those malware apps, Teabot or Flubot banker trojans are free to wreak havoc on the user’s smart device.

The Teabot malware, also called Anatsa, has the ability to intercept SMS messages and steal Google Authentication codes. Apart from keylogging activities, it can also execute overlay attacks and even take complete control over the user’s smart device.

Flubot is more straightforward, with “worn-like” programming that allows it to steal banking credentials and other types of personal data or text messages. It spreads by sending spam text messages from already infected devices. This malware also modifies the registry and shuts down access to Google Play so it can remain undetected. Good antivirus apps can still root it out quickly, but doing so once your device has already been compromised may be too late.

In most cases, the app icons and labels differ ever so slightly from the official versions that they are mimicking. Uplift, a health and wellness app, is the exception, making it impossible to tell the difference just by looking at the app’s icon.

Bitdefender has collected a list of countries most affected by these malware attacks. Teabot is mainly spreading through Spain, Italy, and the Netherlands, with VLC MediaPlayer being the most mimicked app. On the other hand, Flubot is most widespread in Germany, Spain, and Italy. During March and April of 2021, Allot Secure stopped Flubot from interfacing with its command and control center in 106,612,889 separate instances.