TeaBot malware tries to spy on banking data on Android devices

Threat Alert

Users are being targeted by cybercriminals by downloading infected Android apps. German users are also affected. With the help of the “TeaBot” malware, the cybercriminals are trying to obtain users’ bank data. Find out exactly what the threat is and what you can do.

What happened?

On May 12, Italian security researchers at Cleafy announced the discovery of a new Android malware called “TeaBot.” The malware was first discovered in early January and classified as a banking Trojan. TeaBot’s main goal is to tap victims’ login credentials and SMS messages to enable fraud incidents against a predefined list of banks. Attacks against German banks were first observed at the beginning of May this year.

What risks does TeaBot pose to my business?

Once the malware is successfully installed on the victim’s device, the attackers receive a live stream of the affected device’s screen. They can also interact with the device through its access services to hijack users’ credentials and SMS messages and enable fraudulent activities. The malware is “hidden” in a compromised mobile app that is believed to have been downloaded recently.

More background on the TeaBot threat

IT security portal Zdnet describes: “The app was initially named TeaTV, but then kept changing titles to “VLC MediaPlayer,” “Mobdro,” “DHL,” “UPS” and “bpost.” Currently, the malware runs under the name “TeaBot”. It seems to have all the main characteristics of the new type of Android banking Trojans, which are characterized by the abuse of so-called Accessibility Services. These Accessibility Services allow an application to interact with other apps. Examples would include:

  • Ability to engage in undetected activity in the background.
  • Ability to perform overlay attacks against multiple banking applications to steal credentials and credit card information.
  • Ability to send / intercept / hide SMS messages.
  • Ability to enable key logging features.
  • Ability to steal Google authentication codes.
  • Ability to gain full remote control of an Android device (via Accessibility Services and real-time screen sharing).

As Cleafy researchers found out, the malware has three main functions:

  1. Keylogging, i.e. recording all typing on the compromised device.
  2. Taking screenshots.
  3. Overlay attack, where the attacker is able to perform actions on behalf of the victim.

What can I do? 

If you are an Android user, pay special attention to the apps on your smartphone. Considering the fact that TeaBot has been “hidden” in the compromised apps, such as VLC Media Player, TeaTV, DHL and UPS, we recommend checking the phone for the presence of these apps. If you have recently downloaded any of the mentioned apps, you should be extra vigilant – especially if they are not from official sources (e.g. the Play Store or directly from the app’s provider). A recent attack is hard to identify. What should make you suspicious is receiving an unusual message with a link to a banking app. Also, keep an eye on your company account payments. This can be done, for example, by sending an email/message informing about each transaction made. Usually, this service can be set in your bank’s online portal. If you notice unexpected debits on your bank account, you should contact your bank immediately.

The next step should be to install all updates on your Android device. To protect your phone from malware, we recommend avoiding downloading apps from third-party sites and carefully checking which apps you download (including from the Google Play Store). Also, it is important not to click on links. Especially if you cannot associate the numbers or do not expect such messages from a known number