A research team at the Italian cybersecurity firm Cleafy has disclosed a new Android banking trojan, which has been spreading across European countries since January 2021.
Dubbed ‘Teabot’, the malware’s main goal is to steal victim’s credentials and SMS messages for enabling fraud scenarios against a predefined list of banks. Once the trojan is installed on a device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Services.
While Teabot (aka Anatsa) was detected in January, first malicious attacks were observed in late March targeting Italian and German banks. At the beginning of May the attacks expanded to include banks in Belgium and the Netherlands.
Like other Android banking trojans, Teabot can perform Overlay Attacks against multiple banks applications to steal login credentials and credit card information, send/ intercept / hide SMS messages, act as a keylogger, steal Google Authentication codes, and is able to obtain full remote control of an Android device (via Accessibility Services and real-time screen-sharing).
“TeaBot appears to be at its early stages of development according to some irregularities found during our analysis, but developers have already included multi-languages support according to some textual references found (e.g. Spanish, Italian, German, etc.),” the researchers wrote.
The malware uses multiple techniques to slow down analysts, such as:
-The malicious application acts as dropper and dynamically loads a 2nd stage (.dex) where all the malicious code resides
-Usage of “Junk Code”
-Network communications are partially encrypted using XOR algorithm
The malicious Android app is masqueraded as media and package delivery services such as TeaTV, VLC Media Player, DHL, and UPS. The malware acts as a dropper, loading a second-stage payload and forcing the victim to grant it accessibility service permissions.
Other features of TeaBot include disabling Google Play Protect, intercepting SMS messages, and stealing Google Authenticator 2FA codes. The collected information is then sent every 10 seconds to an attacker-controlled remote server.