The Teabot malware is a new Android Trojan threat that is being deployed in phishing attacks targeting users across Europe. The malware strain's primary function is to collect credentials and intercept SMS messenger to commit financial fraud operations against a multitude of European banks. "Once established onto the compromised device, the Teabot malware can provide the threat actor with a live stream of that device's screen, while also abusing Accessibility Services to perform other malicious activities."
The first action of the malware is to attempt to be installed as an 'Android Service,' a designation for application components that are allowed to carry out long-running operations in the background of the device. By exploiting this feature, Teabot can hide its presence from the user, make its detection that much harder, and ensure its persistence on the breached device. By requesting various Android permissions, the malware can start to observe the user's actions, and perform arbitrary gestures, while also retrieving sensitive window content.
Teabot is under Active Development
During the time that the researchers were observing the Teabot operation, they saw a drastic expansion in the malware's targets. Initially, the threatening campaign was focused on Spanish banks solely, but it soon grew to also affect banks in Germany and Italy. The latest Teabot versions could be used in fraudulent activities against more than 60 European banks located in Spain, Germany, Italy, Belgium and the Netherlands. The malware supports 6 different languages - Spanish, English, German, French, Dutch and Italian.
At the same time, the threatening application carrying the threat has switched between multiple different disguises rapidly. It presented itself as an application named TeaTV initially. The threat actor then tried several different names, some impersonating legitimate and popular applications such as 'VLC MediaPlayer,' 'Mobdro,' 'UPS,' 'DHL' and 'bpost.'