Cleafy specialists discovered a malware for Android TeaBot (aka Anatsa) that steals SMS and user credentials in order to gain access to bank accounts in Spain, Germany, Italy, Belgium and the Netherlands.
According to the researchers, the banker is at an early stage of development, as first signs of its activity appeared back in January, but attacks on financial applications have been observed only since the end of March 2021. Earlier this month, a large wave of infections was detected among bank users in Belgium and the Netherlands.
Typically, malware masquerades as various multimedia and delivery services, including TeaTV, VLC Media Player, DHL and UPS. The application itself acts as a dropper, which not only downloads the second-level payload, but also forces the victim to grant the malware all the necessary rights.
By gaining access to Accessibility Services, criminals are able to intercept keystrokes, take screenshots, and inject malicious overlays on top of real banking app login screens (to steal credentials and bank card details).
In addition, TeaBot is capable of disabling Google Play Protect, intercepting SMS messages and Google Authenticator 2FA codes. The collected information is transmitted to a remote server of the attackers every 10 seconds.
Be careful with the permissions you give for new apps. After the installation, TeaBot will request the following Android permissions, which are mandatory to perform its malicious behavior:
- Observe your actions
- Used to intercept and observe the user action
- Retrieve window content
- Used to retrieve sensitive information such as login credentials, SMS, 2FA codes from authentication apps, etc.
- Perform arbitrary gestures
- TeaBot uses this feature to accept different kinds of permissions, immediately after the installation phase, for example the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission popup.
Once the requested permissions have been accepted, the malicious application will remove its icon from the device.
Let me remind you that I also talked about the fact that Osiris banking Trojan was replaced by its “relative” – the Ares malware.