14 DAY TRIAL // A new trojan targeting Android was reported on Monday. The malware steals users' credentials and SMS messages to ease fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands.
The malware, dubbed "TeaBot" (or Anatsa), is allegedly in its initial stages of development.
While TeaBot's activity was known from January, more malicious attacks targeting financial apps started in late March 2021. More serious attacks targeted banks from Belgium and Netherlands in the first week of May.
Cleafy, the Italian cybersecurity, and online fraud prevention firm stated that "The main goal of TeaBot is stealing victim's credentials and SMS messages for enabling frauds scenarios against a predefined list of banks,"
"Once TeaBot is successfully installed in the victim's device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Services."
The rogue Android app imitates media and package delivery services such as TeaTV, VLC Media Player, DHL, and UPS. The malware acts as a dropper, loading a second-stage payload and forcing the victim to grant it accessibility service permissions.
TeaBot disables all security features on your phone
TeaBot exploits the access to achieve real-time interaction with the compromised device, allowing the bad actor to record keystrokes, take screenshots, and inject malicious overlays on top of login screens in banking apps. This way passwords and credit card information can be extracted.
TeaBot can also disable Google Play Protect, intercept SMS messages, and access Google Authenticator 2FA codes, among other things. The collected data is then sent to a remote server controlled by the attacker every 10 seconds.
In recent months, there has been an increase in Android malware that uses accessibility services as a stepping stone to steal data.
TeaBot appears to be using the same decoy as Flubot, posing as innocuous shipment apps, which could be an attempt to deflect attribution and stay under the radar.
Due to the increased number of FluBot infections, Germany and the United Kingdom issued alerts last month, warning of ongoing attacks using phishing SMS messages to trick users into installing spyware that steals passwords and other sensitive data.