Toddler Mobile Banking Trojan Spreads Across Europe

Toddler Mobile Banking Trojan Spreads Across Europe

Researchers have analyzed the spread of a new Android banking Trojan called Toddler, which is infecting users across Europe.

According to the team at the PRODAFT Threat Intelligence (PTI), Toddler, which is also known as TeaBot/Anatsa, is a testimony to the rise of mobile banking malware that is threatening the security of users in several European countries.

The Trojan was first discovered in January by a cybersecurity company Cleafy. It has been used at the time to attack users of 60 banks in Europe. In June, Bitdefender identified Spain and Italy as two countries where users were most likely to get infected.

PTI says Spain has emerged as the country with the most number of Toddler infections. Researchers identified over 7,600 mobile devices that have been infected.

After infiltrating a C2 server used by the operators of the Android Trojan, researchers discovered over a thousand sets of stolen bank credentials.

Security researchers have identified numerous legitimate websites “serving” the Toddler malware through malicious .APK files and Android apps. Toddler ahs not been found on Play Store. So far Toddler has targeted 18 financial organizations in Europe.

Once installed, Trojan can collect and modify data, intercept SMS, perform keylogging, and connect to a botnet. The malware will trick victims into providing their bank credentials by displaying fake login screens.

“Toddler downloads the specially-crafted login page for the opened target application from its C2,” PRODAFT noted. “The downloaded webview phishing page is then laid over the target application. The user suspects nothing because this event happens almost instantaneously when the legitimate application is opened.”

The malware will steal other account records too and attempt to access cryptocurrency wallets.

The C2’s Command List includes the activation of an infected device’s screen, prompting users to grant permissions, uninstalling apps and trying accessing Google Authenticator via Accessibility.

Researchers note that the Trojan has a unique level of persistence maintaining a high level of infection for a long time.

“Toddler sets a new precedent for persistence module implementation,” the researchers say. “Removal of the malware from the device requires huge technical expertise and it looks like the process will not get easier in the future.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.