The Android trojan targets banks in Italy, Spain, Germany, Belgium, and the Netherlands
A new Android trojan was identified by security researchers, which when successfully installed in the victim’s device, the threat actors behind it can obtain a live stream of the device screen and also interact with it via its Accessibility Services.
Threat Intelligence and Incident Response team at Cleafy spotted the malware which was named “Teabot”. It is used to hijack users’ credentials and SMS messages to facilitate fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands.
The researchers spotted the malware in January and found that it enabled fraud against more than 60 banks across Europe. By March 29, Cleafy analysts found the trojan being used against Italian banks and by May, banks in Belgium and Netherlands were also dealing with it.
According to analysis, Teabot is still under development and had initially only focused on Spanish banks before moving on to banks in Germany and Italy. The malware now is currently supporting 6 different languages, including Spanish, English, Italian, German, French, and Dutch.
The app which was initially named TeaTV and then repeatedly switched titles to “VLC MediaPlayer,” “Mobdro,” “DHL,” “UPS,” and “bpost.”
The Cleafy report states that when the malicious app has been downloaded on the device, it tries to be installed as an “Android Service,” which is an application component that can perform long-running operations in the background. TeaBot abuses this feature to silently hide from the user, after installed, to prevent detection and ensures its persistence.
After TeaBot is installed, it will request Android permissions to observe your actions, retrieve window content, and perform arbitrary gestures. When the permissions are granted, the app will remove its icon from the device.
Saumitra Das, CTO of cybersecurity firm Blue Hexagon said Teabot represents a shift in mobile malware from just being a sideline issue to being a mainstream problem just as malware on traditional endpoints.
It is also important to note that even though the apps are not on Google Play, the phishing/social engineering tactics used by the actors behind Teabot/Flubot are as good as any threat family on the PC side as within a short time frame, they can manage to get a huge infection base.