An Android trojan that can steal victims’ SMS messages and credentials, and completely take over smartphone devices, has been discovered by Cleafy’s Threat Intelligence and Incident Response (TIR), an Italian cybersecurity and online fraud prevention company.
The trojan, dubbed TeaBot, is aimed at committing fraud against at least 60 banks in Europe. The malware is said to be in its early stages of development, with malicious attacks targeting financial apps commencing on March 29, 2021 against banks in Italy, followed by a rash of infections in the first week of May against Belgium and Netherlands banks. However, the researchers found evidence of the first signs of TeaBot activity in January, when it targeted banks in Spain, but also German banks in early March.
How does TeaBot interfere with the way you use your smartphone?
- Steals credentials and credit card information
- Sends and intercepts SMS
- Reads smartphone status
- Modifies audio options
- Shows pop-ups to request more permissions
- Gets a live feed of the device’s screen on demand
- Deletes applications
- Disables Google Play Protect
Although this behavior is similar to FluBot, TeaBot behaves differently, as it only scans selected applications, not all applications. This means that less traffic is generated between the banker and the command and control server, drawing less attention to nefarious activity. Also, the malware hides behind names like DHL, UPS, VLC MediaPlayer or Mobdro, posing as other applications. The collected information is exfiltrated every 10 seconds to a remote server controlled by the attacker.
Android malware abusing accessibility services as a stepping stone for perpetrating data theft has witnessed a surge in recent months. Since the start of the year, at least three different malware families — Oscorp, BRATA, and FluBot — have banked on the feature to gain total control of the infected devices.
CTO of cybersecurity provider Blue Hexagon, rates TeaBot as a serious threat, even though the malware has not yet made it into Google’s Play Store. “It’s important to remember that the phishing / social engineering tactics used by the actors behind Teabot / FluBot are as good as any other family of threats on the PC side; that they can manage to build up a huge infection base within a short period of time, even if the apps are not on Google Play. These threats should not be underestimated. “
How to protect yourself from Android banking trojans?
As stated by the experts, TeaBot, which is similar to the Android malware Oscorp, tries to achieve real-time interaction with compromised devices, in order to execute an ATO (Account Takeover) attack scenario by simply abusing the services of Android accessibility to fraudulently acquire control of new devices.
- Therefore, to protect yourself from the increasingly rampant threats in the mobile environment related to the countless variants of banking Trojans, it is always advisable to follow at least minimum security measures:
- Always check the reliability of the apps used, comparing with the related customer services;
- Check user ratings before downloading a new app;
- Rely with caution only on legitimate stores: Google Play is always and in any case a reliable source;
- Pay attention to the permissions required by the app installation processes, granting them only if you are sure they are necessary for proper operation;
- Regularly scan your mobile device for the latest threats with up-to-date antivirus systems;
- Always keep your Android operating system updated with updates and security patches released periodically.
Author Anna Kranj | Nordic IT Security, May 17, 2021
Featured, Cyber Security, News