A new Android trojan has been discovered that hijacks users' SMS messages and credentials to perform fraudulent activities. The trojan is identified as TeaBot or Anatsa and is mostly targeting banking users located in Spain, Germany, the Netherlands, Italy, and Belgium. 

What has happened?

According to researchers, the trojan is believed to be in its early stages of development with malicious attacks, launched in late- March, targeting financial apps. However, the first TeaBot activity began in January.
  • The trojan spread via rogue applications masquerading as package delivery and media services, such as VLC Media Player, TeaTV, UPS, and DHL, that worked as droppers.
  • These droppers load a second-stage payload and force the victim into giving permissions to accessibility service. Moreover, TeaBot uses the same decoy (fake shipment apps) as Flubot.
  • After being successfully installed in the victim's device, the attackers can get live streaming of the device screen and interact with it via Accessibility Services.
  • Further, the trojan can exploit the Accessibility Services access to record keystrokes, take screenshots, and inject malicious overlays.

Abusing accessibility services

Since the start of this year, several malware families have been observed abusing Accessibility Services to gain total control over victim devices.
  • A few weeks ago, a malware, FluBot, was discovered to be abusing Android Accessibility Service. The malware targeted mobile users in the U.K., Spain, Hungary, Germany, Italy, and Poland.
  • Last month, BRATA malware was found taking full control of the device by utilizing Accessibility Services. The malware was spreading via malicious apps posing as app security scanners.

Recent past of TeaBot

Researchers have noticed some interesting changes in TeaBot malware in the recent few months.
  • In January, the malware was seen targeting Spanish banks.
  • In March, new variants of TeaBot were discovered that were targeting German and Italian banks.
  • Moreover, TeaBot currently supports 6 different languages, including Spanish, English, Italian, German, French, and Dutch.

Conclusion

TeaBot is active and is capable of performing a variety of attacks on Android devices by abusing Accessibility Services. Moreover, this threat has been targeting scores of banking users. It has a lot of potentials to cause havoc from a financial perspective, and therefore, users are recommended to strictly avoid downloading mobile apps from unknown sources.

Cyware Publisher

Publisher

Cyware