“Is That You in This Video?” FluBot and TeaBot Campaigns Use SMS Text to Target Android Devices Worldwide


Share on facebook
Share on twitter
Share on linkedin

New FluBot and TeaBot malware distribution campaigns have been detected in Australia, Germany, Poland, Spain, and Romania, using typical smishing lures or laced apps against Android users. 

FluBot’s Reappearance: 

Fake SMS messages, “Is that you in this video?” coaxing, fake browser updates, and fake voicemail notifications are among the SMS subject lines used to spread FluBot virus. 

Bitdefender Labs researchers observed the most current FluBot campaign, intercepting over 100,000 infected SMS messages since December 2021. 

FluBot operators, according to the research, launch attacks in short-term waves using different decoys for each country. 

After infecting a device, the virus exploits the victim’s contact list to distribute more SMS decoys, obtaining higher infection rates due to receivers’ trust in known contacts and continuing to spread. 

The FluBot distribution has been active throughout 2021, and reports of high-volume activity in 2022 show that its operators won’t be slowing down anytime soon. 

TeaBot Thriving in the Google Play Store: 

TeaBot is a global Android banking Trojan that was identified in January 2021 and has since made many appearances in the Play Store. 

It is transmitted to unsuspecting victims using Trojan programmes available on the Google Play Store, such as: 

  • QR Code Reader – Scanner app – 100,000 downloads 
  • QR Scanner APK – 10,000 Downloads 
  • QR code scan – 10,000 downloads 
  • Smart Cleaner – 1,000 downloads 
  • Weather Cast – 10,000 downloads 
  • Daily Weather – 10,000 downloads 

At first glance, none of these apps had any malicious code and functioned as promised, allowing them to pass the Google Play Store review process and reach a larger pool of victims. 

Alert to allow the installation via third party sources. Source: Bitdefender

However, once installed and running on the victim’s device, the apps launched a background service that checked the country code and stopped if it returned Ukraine, Uzbekistan, Uruguay, or the United States. 

The app downloaded its setup for all other victims, as well as an APK from a GitHub repository containing a TeaBot variation. Simultaneously, apps prompted the user to authorise third-party sources to install packages. 

The TeaBot campaign shows clearly that even if you instal software from the Google Play Store, you are not always safe from cybercriminals. 

As a result, it is recommended to be cautious with new installs, read user reviews, monitor the app’s network and battery usage, and provide only risk-free permissions. 

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.