Cleafy security researchers discovered a new banking trojan targeting banks in Europe. They named the new Android malware variant “TeaBot” because it is not related to other banking trojans.
The Android malware abuses Android’s Accessibility Services to overlay legitimate banking apps, intercept user actions and two-factor authentication codes, and perform arbitrary actions.
Cleafy’s Threat Intelligence and Incident Response team discovered the malware in January 2021. By March 29, the researchers detected malicious injections against Italian banks, and Belgium and Netherlands banks by May 2021.
TeaBot Android malware can stream a device’s screen and mimic user interaction
The researchers explained that the primary goal of TeaBot is stealing victims’ banking credentials for fraudulent purposes by abusing Android’s Accessibility Services.
The Android malware achieves a real-time interaction with the compromised device to bypass “new device enrollment” and perform an Account Takeover (ATO).
When TeaBot is successfully installed in the victim’s device, attackers can obtain a live stream of the device screen on demand and also interact with it.
The banking trojan can also send, intercept, and hide SMS messages to bypass two-factor authentication.
Like other Android banking trojans such as Anubis, Cerberus/Alien it overlays banks’ mobile applications to steal login and credit card information. It also observes and intercepts user actions and can perform arbitrary actions.
Unlike other banking trojans like EventBot that observe all installed apps, TeaBot only spied on selected banking applications. Consequently, it downloads specific payloads to perform overlay attacks against specific banks.
“TeaBot, during its first communications with the C2, sends the list of installed apps to verify if the infected devices had one or more targeted apps already installed,” the researchers noted.
Cleafy researchers also discovered that the Android malware sent user interaction information for specific bank apps every ten seconds to the command server. This strategy ensured that there is little traffic between the Android malware and the…