For all the digital threats that are circulating at any given time, including everything from credential-stealing malware to malicious code that bombards the end user with annoying ads and pop-ups, among the scariest and potentially most destructive are the threats that target victims’ banks and financial institutions.
We’ve reported on a number of such threats, including malware that steals login credentials to drain victim bank accounts. And now, another similar piece of Android malware has been identified by security researchers, who in recent days warned that this malware (which has been dubbed “TeaBot”) can take actions like live streaming the target device screen for the benefit of the attackers. It can also hijack login credentials and text messages in order to engage in fraudulent bank activity.
Researchers on the Threat Intelligence and Incident Response team at the cybersecurity company Cleafy identified the TeaBot Android banking Trojan back in January. This threat’s main goal, they found, is to steal the victim’s credentials and SMS messages to enable fraud scenarios against a list of banks in European regions including Spain, Germany, Italy, Belgium, and the Netherlands. “Once TeaBot is successfully installed in the victim’s device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Services,” the Cleafy team explained in a technical analysis about the threat.
Among the actions TeaBot is able to take, this threat:
- Has the ability to perform overlay attacks against multiple banks applications to steal login credentials and credit card information
- Can send, intercept, and hide SMS messages
- Enables key logging functionalities
- Has the ability to steal Google Authentication codes
- And has the ability to obtain full remote control of an Android device, via Accessibility Services and real-time screen-sharing)
When TeaBot was initially discovered, it was found to focus only on Spanish banks. However, according to the Cleafy team, new samples of TeaBot started showing up in March that targeted German and Italian banks for the first time. Moreover, TeaBot currently supports several different languages, including Spanish, English, Italian, German, French, and Dutch.
In explaining how dangerous a piece of malware this is, Saumitra Das, CTO of cybersecurity firm Blue Hexagon, told ZDNet that it proves once again how “threat actors realize the true potential of mobile devices and the threat they can pose to the end-user.”
“It is important to remember that even though the apps are not on Google Play, the phishing/social engineering tactics used by the actors behind TeaBot/Flubot are as good as any threat family on the PC side. That within a short time frame, they can manage to get a huge infection base. These threats should not be underestimated.”