By downloading infected Android apps, users are targeted by cybercriminals. German users are also affected. With the help of the malware “TeaBot”, the cybercriminals try to get hold of the users’ bank details. Learn what exactly the threat is and what you can do.
What happened?
On May 12, Italian security researchers from Cleafy announced the discovery of a new Android malware called “TeaBot”. The malware was first discovered at the beginning of January and classified as a banking Trojan. The main goal of TeaBot is to harvest victims’ credentials and SMS messages to enable fraud against a predefined list of banks. Attacks on German banks were first observed at the beginning of May this year.
What are the risks of TeaBot for my company?
Once the malware is successfully installed on the victim’s device, the attackers receive a live stream of the affected device’s screen. They can also interact with the device via its access services to hijack users’ login credentials and SMS messages and enable fraudulent activity. The malware is “hidden” in a compromised mobile app, which is believed to have been downloaded recently.
Further background on the threat of TeaBot
The IT security portal Zdnet describes: “The app was initially called TeaTV, but then kept changing the title to “VLC MediaPlayer”, “Mobdro”, “DHL”, “UPS” and “bpost”. Currently, the malware is known as “TeaBot”. It seems to have all the main characteristics of the new type of Android banking Trojan, which is characterized by the abuse of so-called accessibility services. These accessibility services allow an application to interact with other apps. Examples of this would be:
As Cleafy’s researchers discovered, the malware has three main functions:
What can I do?
If you’re an Android user, pay special attention to the apps on your smartphone. Considering that the TeaBot has been “hidden” in the compromised applications such as VLC Media Player, TeaTV, DHL, and UPS, we recommend checking the phone for the presence of these apps. If you have recently downloaded any of the apps mentioned, you should be particularly attentive – especially if they do not come from official sources (e.g. the Play Store or directly from the provider of the app). A current attack is difficult to identify. What should make you suspicious is receiving an unusual message with a link to a banking app. Also, keep an eye on your company account payments. This can be done, for example, by e-mail/message that informs about every transaction made. In most cases, this service can be set up in your bank’s online portal. If you notice unexpected charges to your bank account, you should contact your bank immediately.
The next step should be to install all the updates on your Android device. To protect your phone from malware, we recommend avoiding downloading apps from third-party sites and carefully checking which apps you download (including from the Google Play Store). Also, it is important not to click on links. Especially if you can’t match the numbers or don’t expect such messages from a known number.
