The TeaBot Trojan, a new malware strain, is targeting bank accounts of customers across Europe. Read on to know more about it…
A new Android trojan has been discovered by security firm Cleafy that steals users’ SMS messages and credentials and uses them to commit onilne fraud. FluBot, a malware that exploits Android Accessibility Service, was discovered a few weeks ago. Mobile users in the United Kingdom, Spain, Belgium, Hungary, Germany, Netherlands, Italy, and Poland were targeted by the TeaBot or Anatsa trojan.
Cleafy reported that “At the beginning of January 2021, a new Android banking Trojan was discovered and analyzed by our Threat Intelligence and Incident Response team,”
“We decided to dub this new family as TeaBot since it seems to not be related to any known banking Trojan family.”
Several malware families have been observed exploiting Accessibility Services to gain complete control of victim’s device since the beginning of the year. Last month, the BRATA malware was discovered using Accessibility Services to take complete control of the device. Malicious apps acting as app security scanners were used to spread the malware.
According to researchers, the trojan is still in its early stages of development, with malicious attacks targeting financial apps started in late March. The first TeaBot operation, on the other hand, started in January.
Working Mechanism
Rogue applications posing as package delivery and media services, such as VLC Media Player, TeaTV, UPS, and DHL, served as droppers for the trojan. These droppers deliver a second-stage payload that forces the victim to grant permissions for accessibility service. Furthermore, TeaBot and Flubot both use the same decoy (fake shipment apps).
The hackers can get live streaming of the device screen and communicate with it through Accessibility Services after successfully installing malicious code on the victim’s device. Furthermore, the trojan can record keystrokes, take screenshots, and insert malicious overlays using Accessibility Services access.
TeaBot malware has undergone some interesting improvements in recent months, according to researchers. Furthermore, TeaBot currently supports six languages: Spanish, English, Italian, German, French, and Dutch.
Similar Malware Attacks
The TeaBot malware was first discovered targeting Spanish banks in January. TeaBot variants that targeted German and Italian banks were discovered in March.
In April, security firm Doctor Web disclosed that malicious apps in AppGallery, Huawei’s official app store, had targeted more than 500,000 Android devices around the world.
The Joker malware was discovered to be targeting Android users via malicious apps in Google Play and third-party app stores in September 2020. Malwarebytes revealed in July 2020 that fraudsters were embedding the Cerberus Trojan inside a money converter software to target Android devices.
Other malware has been aimed at Android users as well. According to a report published by Kaspersky in April, a sophisticated spyware campaign dubbed PhantomLance has been targeting Android users for the past five years through Trojan-laced apps in the Google Play Store that are disguised as various plug-ins, browser cleaners, and application updaters.
Concluding Words
TeaBot is active and has the capability of misusing Accessibility Services to carry out a range of attacks on Android devices. Furthermore, this threat has targeted a large number of banking customers. From a financial standpoint, it has a lot of potential to cause havoc, so users are advised to stay away from installing mobile apps from unknown sources.