Researchers from Prodaft have revealed that the TeaBot malware (aka Toddler or Anatsa) is increasingly targeting countries in Europe, including the U.K, France, Belgium, Australia, Germany, Switzerland, and the Netherlands.

Fresh round of attacks

According to Prodaft Threat Intelligence team, the malware is still under development; however, it has targeted more than 7,000 devices so far.
  • The mobile trojan targeted customers of 60 European banks, attempting to steal their banking credentials. It has targeted mobile apps for financial organizations, including Belfius, BEO Bank, and FinecoBank, among others.
  • Although the trojan has not been found on Google Play, researchers have identified several legitimate websites that were compromised to host and distribute the malware. 
  • Upon infection, the malware downloads the fake login pages from its C2, which are lookalikes of the app used by the victim. These are overlaid on top of the victim’s screen showing the banking application.
  • In addition, the malware can steal data (including cryptocurrency wallet details), take screenshots, intercept 2FA codes and SMS, and conduct keylogging.

Recent attacks by Teabot

In the past few months, several research agencies have identified active campaigns by TeaBot operators, targeting various banks across European countries.
  • Last month, TeaBot was found masquerading as banking apps, targeting customers of several banks, including BBVA Spain, BBVA Mexico, Openbank, Santander bank, and Liberbank.
  • Around the same time, the malware was observed to be mimicking Kaspersky Internet Security for Android, thus, trying to obtain high privilege access permissions such as Accessibility Services on the victim’s device.


TeaBot malware operators are adept at disguising themselves as banking applications and other popular apps. Moreover, the inclusion of several sophisticated tricks such as targeting crypto wallets and abusing Accessibility Services makes it a dangerous threat.

Cyware Publisher