Skip to main content

Hackers mimic popular Android antivirus to infect devices with malware

Android 12 beta update
(Image credit: Shutterstock / quietbits)

A new series of malicious Android applications have been identified, all of which appropriate familiar branding to lull potential victims into a false sense of security.

According to researchers at security firm Bitdefender, cybercriminals are distributing malware-rigged versions of various popular apps, including media player VLC, Kaspersky antivirus, and applications from FedEx and DHL.

Once installed, the fraudulent apps infect devices with either Teabot or Flubot, a pair of nasty banking trojans first discovered earlier this year.

The former strain is reportedly capable of intercepting messages and Google Authentication codes, logging keyboard strokes, performing overlay attacks and, in some cases, seizing full control of the infected device.

Flubot is not quite as complex, but is still equipped with the tools to lift banking credentials, messages and other types of private data from the device. The malware also exhibits “worm-like behavior”, spreading itself via malicious SMS messages sent out from infected devices.

Fake Android apps

Although malicious applications have been known to make their way onto Google Play Store on occasion, the majority of threats can be avoided by downloading content from reputable sources only.

This is certainly true of the threats discovered by Bitdefender, which are not hosted on Google Play and can only make their way onto an Android device via sideloading.

“Spreading malware on Android devices is not easy, as the official store can usually prevent these types of apps from reaching users,” noted Bitdefender. “But one of Android’s greatest strengths, the ability to sideload apps from non-official sources, is also a weakness.”

“Using a combination of tricks to persuade users to install apps outside of the official store, criminals spread most of their malware through sideloading.”

In the report, the researchers make clear that the malware campaign is not a reflection of the security standards of the original, legitimate apps. Cybercriminals have simply co-opted recognizable branding as a means of social engineering.

At the time of writing, the malware campaign remains active, so Android users are advised to exercise caution when downloading content from non-official sources and to shield their devices with leading security software.

Update:
Kaspersky, whose Android app the campaign operators are mimicking, has since provided the following statement:

"Malware creators regularly disguise their programs as popular legitimate software, including security programs, in order to lure users into installing malicious files. Kaspersky recommends downloading applications from legitimate sources (e.g. official app stores)."