TeaBot Android Trojan targeting users of financial apps in Europe

TeaBot is a relatively new Android banking Trojan that was discovered in January 2021 by the Threat Intelligence and Incident Response (TIR) team at Cleafy, a cybersecurity company.

While the main goal of TeaBot is to steal victim’s banking credentials and SMS messages which enables the threat actors to carry out frauds against a predefined list of banks, mainly European banks numbering over 60 targeted banks. TeaBot, once successfully installed in the victim’s device, allow the attackers to obtain a live stream of the device screen (on demand) and interact with the device through Android Accessibility Services.

Albeit, the malware is still in its early stage of development, with the attacks fully commencing in late March 2021, which was followed by a series of infiltration in the first week of May on Belgium and Netherlands banks.

How TeaBot Android banking Trojan steals users’ credentials?

TeaBot seems to have all the capabilities of modern Android banking Trojan such as ability to abuse the Accessibility Services to perform Overlay attacks against multiple banks apps to steal users login credentials and credit card information.

It also has the ability to send / intercept / hide SMS messages, thus enabling key logging functionalities and stealing of Google Authentication codes, with full remote control access to any infected Android device through Accessibility Services and real-time screen-sharing capabilities.

Additionally, TeaBot has the capabilities of disabling Google Play Protect and accessing Google Authenticator 2FA codes, with the collected information exfiltrated every 10 seconds to a remote server controlled by the attacker.

The TeaBot technical analysis reveals that the initial app name used by the malware was “TeaTV” – but as at last month the app name was changed to the following: “VLC MediaPlayer”, “Mobdro”, “DHL”, “UPS” and “bpost”, which are all the same decoy also used by the infamous banker Flubot/Cabassous.

How to Mitigate against TeaBot Banking Trojan

Given that TeaBot employs the same evasive techniques as Flubot by posing as innocuous apps helps it to stay under the radar. Therefore, it is recommended that Android users should always scrutinize the permissions granted to apps installed on their device.

If there is any unusual notifications and screen activities on your Android device, or you suspect a malware-infected app, quickly uninstall the app from your device, and always make sure the operating system and apps are up to date.

You May Also Like