Cybersecurity researchers at Cleafy describe a new Android trojan that steals users’ credentials and SMS messages. Its operators then use the stolen usernames and passwords for fraudulent activities targeting banks in Spain, Germany, Belgium, Italy, and the Netherlands.
The malware has been dubbed “TeaBot,” also known as Anatsa, is still in its early stages of development, researchers at the Italian cybersecurity, and online fraud prevention firm believe. Cybersecurity researchers have first observed it in January and later in March targeting financial apps.
More recently, researchers have seen it used in a series of infections in the first week of May against Belgium and Netherlands banks.
“The main goal of TeaBot is stealing victim’s credentials and SMS messages for enabling frauds scenarios against a predefined list of banks,” Cleafy researchers said in a Monday write-up. “Once TeaBot is successfully installed in the victim’s device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Services.”
Hackers lure victims into downloading and installing a fake Android application that masquerades as media and delivery services TeaTV, VLC Media Player, DHL, and UPS. The app acts as a dropper for a second-stage payload but and prompts the victim to grant it accessibility service permissions which TeaBot needs to achieve real-time interaction with the compromised device. This way, its operators can record keystrokes, take screenshots, and show overlays on top of login screens of banking apps. Their end goal is to steal credentials and credit card information.
Researchers warn that TeaBot can disable Google Play Protect, intercept SMS messages, and as a result, steal Google Authenticator 2FA codes and other codes sent in text messages. The loot is then every 10 seconds siphoned to the attackers’ remote server.
There’s been a surge of malware abusing accessibility services in recent months. Since the start of the year, Oscorp, BRATA, and FluBot have exploited the feature for full control over the infected devices.