TeaBot malware steals SMS and credentials

Cleafy specialists discovered a malware for Android TeaBot (aka Anatsa) that steals SMS and user credentials in order to gain access to bank accounts in Spain, Germany, Italy, Belgium and the Netherlands.

According to the researchers, the banker is at an early stage of development, as first signs of its activity appeared back in January, but attacks on financial applications have been observed only since the end of March 2021. Earlier this month, a large wave of infections was detected among bank users in Belgium and the Netherlands.

The main goal of TeaBot is to steal credentials and SMS messages from victims in order to implement fraud with a predefined list of banks. After successfully installing TeaBot on a device, attackers can receive a live broadcast of the device’s screen (upon request), as well as interact with it through Accessibility Services.the experts write.

Typically, malware masquerades as various multimedia and delivery services, including TeaTV, VLC Media Player, DHL and UPS. The application itself acts as a dropper, which not only downloads the second-level payload, but also forces the victim to grant the malware all the necessary rights.

TeaBot Malware steals SMS

By gaining access to Accessibility Services, criminals are able to intercept keystrokes, take screenshots, and inject malicious overlays on top of real banking app login screens (to steal credentials and bank card details).

Related Articles

In addition, TeaBot is capable of disabling Google Play Protect, intercepting SMS messages and Google Authenticator 2FA codes. The collected information is transmitted to a remote server of the attackers every 10 seconds.

All this nasty stuff is spread in different ways. Primarily, you may get it when trying to run a program that is not from Google Play. However, some of the cases state that malware appeared after the fake tech support case. This or other way, it is better to be on alarm.

Be careful with the permissions you give for new apps. After the installation, TeaBot will request the following Android permissions, which are mandatory to perform its malicious behavior:

  • Observe your actions
  • Used to intercept and observe the user action
  • Retrieve window content
  • Used to retrieve sensitive information such as login credentials, SMS, 2FA codes from authentication apps, etc.
  • Perform arbitrary gestures
  • TeaBot uses this feature to accept different kinds of permissions, immediately after the installation phase, for example the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission popup.

Once the requested permissions have been accepted, the malicious application will remove its icon from the device.

Let me remind you that I also talked about the fact that Osiris banking Trojan was replaced by its “relative” – the Ares malware.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button