Among the numerous digital threats that circulate at any given time, ranging from credential-stealing malware to malicious code that bombards the end user with annoying ads and pop-ups, the scariest and potentially most destructive are those directed at victims’ banks and financial institutions.
And now, security researchers have identified another similar piece of Android malware TeaBot, warning in recent days that it is capable of performing actions such as live streaming the target device’s screen for the attackers’ benefit.
TeaBot Android banking Trojan was first discovered in January by researchers on the Threat Intelligence and Incident Response team at cybersecurity company Cleafy. The primary objective of this threat discovered them is to steal the victim’s credentials and SMS messages in order to enable fraud scenarios against a list of banks located throughout Europe, including Spain, Germany, Italy, Belgium, and the Netherlands.
After successfully installing TeaBot on the victim’s device, attackers can obtain live streaming of the device’s screen (on demand) and also interact with it via Accessibility Services, the Cleafy team explained in a technical analysis of the threat.
TeaBot is capable of the following actions:
- Has the capability to conduct overlay attacks against multiple bank applications in order to steal login credentials and credit card information.
- Allows for the recording of keys.
- It is capable of stealing Google Authentication codes.
- Additionally, it is capable of obtaining complete remote control of an Android device via Accessibility Services and real-time screen sharing).
When TeaBot was discovered for the first time, it was discovered to target exclusively Spanish banks. However, the Cleafy team reports that new TeaBot samples began appearing in March, this time targeting German and Italian banks. Additionally, TeaBot supports a number of languages at the moment, including Spanish, English, Italian, German, French, and Dutch.
“It is critical to remember that even though the apps are not available on Google Play, the phishing/social engineering tactics employed by the actors behind TeaBot/Flubot are as effective as those employed by any threat family on the PC side. That they can amass a large infection base in a relatively short period of time. These dangers are not to be taken lightly.”
How malware works on your phone
According to Adam Bauer, a security researcher for mobile security company Lookout, mobile malware typically takes one of two approaches. The first type of malware deceives you into granting it permission to access sensitive data. That is where the Ads Blocker app comes in, and many of the permissions it requests sound like those required by a legitimate ad blocker. However, they allowed the app to run in the background and display ads to users even when they were using unrelated apps.
The second type of malware takes advantage of phone vulnerabilities to gain access to sensitive data by granting itself administrator privileges. This eliminates the need for users to click “OK” on permissions requests, allowing malware to run undetected on the device.
Regular software updates will help keep your Android phone safe from hackers.