TeaBot Trojan Targets Banks via Hijacked Android Handsets

Researchers have discovered an Android trojan that can steal victims’ SMS messages and credentials and completely take over devices. The trojan, dubbed TeaBot, is aimed at committing fraud against at least 60 banks in Europe.

Once installed on a victim’s device, attackers can use the trojan to obtain a live streaming of the device screen on demand and also interact with it via Accessibility Services, according to a report posted online by online fraud-management firm Cleafy about the trojan, which is also tracked by the name “Anatsa.”

Researchers from Cleafy’s Threat Intelligence and Incident Response (TIR) team detected TeaBot—which shares a number of features with other Android trojans–for the first time March 29 against banks in Italy, but the malware has since spread with “injections against Belgium and Netherlands banks,” according to the report.

However, once digging deeper into the sample they examined, researchers found evidence that TeaBot targeted banks in Spain as early as January and also targeted German banks in March, they said. In total, researchers have extracted scenarios against a predefined list of more than 60 banks.

Work in Progress

At the moment, the trojan supports six different languages—Spanish, English, Italian, German, French and Dutch—and appears to be in its early stages of development because of some of the glitches observed in its process flow, researchers noted.

“The partial network encryption and the presence of some not-working injections and commands (or in some cases a lack of injections for specific targeted banks) suggest to us that the TeaBot is still under development,” they wrote.

Like other Android trojans that use Accessibility Services to do their dirty work, TeaBot also can abuse this feature to perform a number of functions on someone’s device. These capabilities include performing Overlay Attacks against multiple banking applications to steal login credentials and credit card information, something it shares with modern banking trojans such as Anubis and Cerberus/Alien, researchers said.

TeaBot also can send, intercept or hide SMS messages; enable key-logging functionalities; steal Google Authentications codes; and use Accessibility Services and real-time screen sharing to obtain full remote control of an Android device, according to researchers.

“We assume that TeaBot, similar to Oscorp, is trying to achieve a real-time interaction with the compromised device combined with the abuse of Android Accessibility Services bypassing the need of a ‘new device enrollment’ to perform an Account Takeover scenario,” researchers wrote in the report.

Indeed, banking trojans often rely on how “relatively easily intercepted” user credentials and SMS messages are once a device becomes infected, allowing them ready access to banking apps, noted David Stewart, CEO of security firm Approov. This should inspire enterprises to “add further checks on the apps and their runtime environment before accepting API transactions requests,” he said in an e-mail to Threatpost.

Prominent Features

While TeaBot shares features with other trojans, it relies more heavily on some rather than others, researchers observed. One of the main activities of the trojan is keylogging, through which “TeaBot is able to observe and track all the information performed by the user on the targeted applications,” researchers said.

While this behavior is similar to another Android banking trojan EventBot, TeaBot behaves differently in that it tracks only targeted apps, not all apps, like EventBot does, researchers noted. This means less traffic is generated between the banker and the command and control server, calling less attention to the nefarious activity.

TeaBot also has a unique feature to take continuous screenshots of a victim’s device to constantly monitor the screen of the compromised device in a loop, researchers noted.

While TeaBot appears to be localized “within certain European countries for the time being,” banks operating in the rest of the world should also be put on notice, as “such attacks can quickly spread regionally and across the globe,” observed one security expert.

“As compromised login credentials can be used in conjunction with biographic information that is easy to socially engineer these days, a mobile only problem can quickly spread cross channel across online and traditional contact center channels and overwhelm the bank’s fraud team,” Rajiv Pimplaskar, chief research officer for security firm Veridium, said in an email to Threatpost.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.