According to a recent report, the TeaBot malware is pretending to be Kaspersky’s antivirus product to target its victims. The trojan, spreading via third-party app marketplaces, highlights the risks associated with downloading Android apps from unofficial marketplaces.

Malware disguised as antivirus protection

The report suggests that the fake app named Kaspersky Free Antivirus was mimicking the legitimate app - Kaspersky Internet Security for Android.
  • This fake app spreads the TeaBot banking trojan, aka HEUR: Trojan-Banker.AndroidOS.Teaban or HEUR: Trojan-Banker.AndroidOS.Regon.
  • The installation of the app demands high privilege access permissions such as Accessibility Services. 
  • These permissions provide TeaBot (aka Anatsa) with powerful capabilities such as keylogging and stealing Google Authenticator codes. In fact, Accessibility Services can even be exploited to gain full remote control of the infected Android devices.

Recently discovered fake apps

A report from Bitdefender indicates that the recent fake Android app campaign dates to the beginning of December 2020.
  • The fake apps have been recently observed using the disguise of some well-known government, financial, fitness, and reading apps and spreading TeaBot and FluBot.
  • Some of the impersonated brands include TeaTV, VLC MediaPlayer, Mobdro, DHL, UPS, bpost, and popular bank apps such as Bankia Wallet, BankinterMovil, BBVA Spain, Bankia, Openbank, Cajasur, and Ibercaja.


Threats such as TeaBot try to lure their victims under the pretense of popular apps and brands. To stay protected, experts recommend strictly avoiding app downloads from insecure sources or emails, or messages from unknown users. Moreover, users need to stay cautious when searching for these apps and should search them directly on a reliable app store instead of doing an open search on the internet.

Cyware Publisher