Android is once again the target of a new trojan. This malware has the ability to steal users credentials as well as the SMS messages to pave its way for fraudulent activities against banks in Italy, Belgium, Spain, Germany and Netherlands. The malware has been dubbed as Teabot and is supposedly in its early developmental stages.
The activities linked with TeaBot has been known since January, however more malicious attacks found to be targeting financial applications started in the later March 2021. And in the first week of May, more serious attacks were targeted towards banks from Netherland to Belgium.
The Italian online fraud and cyber security firm, Cleafy stated that the main goal of Teabot is to steal victim’s SMS messages and credentials to enable fraud scenarios against a list of predefined banks. They further said that once the TeaBot is installed in the victim’s device, attackers can easily obtain a live streaming of the victim’s device screen on demand, and can also interact with it through the accessibility services. The installed malware containing app copy packaging and media delivery services such as VLC Media Player, TeaTv, UPS and DHL. The malware acts like a dropper and loads a second stage payload which forces the victim to grant them access for the accessibility service. After this, all the security features in the victim’s mobile phone are disabled by the TeaBot. The system malware hinders the access to achieve real time interaction with the attacked device and allows the hacker to record all the key strokes while taking screenshot and injecting malicious overlays at the top of login screen on the baking apps. In this way, all the information related to victim’s credit card can be extracted.
Not only this, but TeaBot can also disable Google Play, Google Protect, intercept its way through SMS messages and can have access to the authenticator codes by Google. The data it collects is then transferred to the attacker through a remote server in every 10 seconds. Recently, an increase has been observed in Android malwares that uses the accessibility services as mode for stealing data. Similarly, TeaBot uses the same decoy tactic as FluBot and pose itself as a harmless shipment application through which it tries to stay under the radar. As a result to these increased FluBot infections, United Kingdom and Germany issued alerts last month to warn its people from the ongoing attacks using SMS messages to trick the users into installing spyware that feeds itself with sensitive data including passwords.
Read next: AV Test Reveals Top Antivirus Software for Android, Surprisingly Third-Party Tools Are Performing Way Too Well When Comparing With Google's Security System
The activities linked with TeaBot has been known since January, however more malicious attacks found to be targeting financial applications started in the later March 2021. And in the first week of May, more serious attacks were targeted towards banks from Netherland to Belgium.
The Italian online fraud and cyber security firm, Cleafy stated that the main goal of Teabot is to steal victim’s SMS messages and credentials to enable fraud scenarios against a list of predefined banks. They further said that once the TeaBot is installed in the victim’s device, attackers can easily obtain a live streaming of the victim’s device screen on demand, and can also interact with it through the accessibility services. The installed malware containing app copy packaging and media delivery services such as VLC Media Player, TeaTv, UPS and DHL. The malware acts like a dropper and loads a second stage payload which forces the victim to grant them access for the accessibility service. After this, all the security features in the victim’s mobile phone are disabled by the TeaBot. The system malware hinders the access to achieve real time interaction with the attacked device and allows the hacker to record all the key strokes while taking screenshot and injecting malicious overlays at the top of login screen on the baking apps. In this way, all the information related to victim’s credit card can be extracted.
Not only this, but TeaBot can also disable Google Play, Google Protect, intercept its way through SMS messages and can have access to the authenticator codes by Google. The data it collects is then transferred to the attacker through a remote server in every 10 seconds. Recently, an increase has been observed in Android malwares that uses the accessibility services as mode for stealing data. Similarly, TeaBot uses the same decoy tactic as FluBot and pose itself as a harmless shipment application through which it tries to stay under the radar. As a result to these increased FluBot infections, United Kingdom and Germany issued alerts last month to warn its people from the ongoing attacks using SMS messages to trick the users into installing spyware that feeds itself with sensitive data including passwords.
Read next: AV Test Reveals Top Antivirus Software for Android, Surprisingly Third-Party Tools Are Performing Way Too Well When Comparing With Google's Security System