On Monday, cybersecurity researchers disclosed a new banking trojan that hijacks Android device users’ login credentials and SMS messages in carrying out fraudulent schemes that target bank customers in Germany, Italy, Belgium, Spain, Netherlands and Spain.
The newly discovered malware is called Teabot (or Anatsa), it is said to be in its early stages and will be developed by the threat actors further. The trojan malware started its attacks in late March 2021, followed by a rash of discovered infections on the first week of May, initially against banks in the Netherlands and Belgium. The very first signs of TeaBot activity was traced back to January.
A reputable Italian cybersecurity and online fraud prevention firm confirmed that the primary goal of TeaBot is stealing the user’s banking credential and SMS messages to commit fraud scenarios towards a predefined list of banks in their respective country. As soon as the TeaBot got successfully installed on the victim’s Android device, the threat actors will gain the ability to live stream the device’s screen on demand and will also be able to interact with the device via Accessibility Services.
This rogue trojan application masquerades as a media or packages delivery services app like VLC Media Player, DHL, TeaTV and UPS. The disguised apps initially act as a dropper that will execute a second–stage payload and force victims into approving access to the accessibility services permissions.
TeaBot can exploit real-time interactions on the compromised device, enabling attackers to capture keystrokes, taking screenshots, and injecting malicious code overlay on top of login screens when the user runs a banking app to capture credentials and credit card payment information. In addition to these capabilities, TeaBot trojan can also disable Google Play Protect, accessing Google Authenticator 2FA codes by intercepting SMS messages. The captured data will then be exfiltrated to a remote server managed by the threat actors every 10 seconds.
Malware that abuses the accessibility services on the initial attack stage to conduct data theft has witnessed a surge these past few months. Since the start of this year, three other malware variants, Oscorp, BRATA, and Flubot, have also banked on this feature to gain complete control of an infected Android device.