TeaBot – A New Malware that stealing victim’s Credentials and Intercepting SMS Messages

A new trendy and massive android banking trojan was discovered and analyzed by Cleafy called TeaBot. This Teabot steals the victim’s credentials and SMS messages for enabling fraud scenarios against a predefined list of banks.

Features of TeaBot:

TeaBot is featured with the following potential:

  • Ability to perform Overlay Attacks against multiple banks applications to steal login credentials and credit card information
  • Ability to send / intercept / hide SMS messages
  • Enable keylogging functionalities
  • Ability to steal Google Authentication codes
  • Ability to obtain full remote control of an Android device (via Accessibility Services and real-time screen-sharing)

TeaBot – In-depth Analysis

TeaBot was initially named “TeaTV” but the app name was changed to “VLC MediaPlayer”, “Mobdro”, “DHL”, “UPS” and “bpost” recently.

The main permissions achieved by TeaBot allow to:

  • Send / Intercept SMS messages
  • Reading phone book and phone state
  • Use device supported biometric modalities
  • Modify audio settings (e.g. to mute the device)
  • Shows a popup on top of all other apps (used during the installation phase to force the user to accept the accessibility service permissions)
  • Deleting an installed application
  • Abusing Android Accessibility Services
List of permissions declared in the AndroidManifest.xml
Main icons app used by TeaBot

TeaBot main features

The main features observed during the analysis of the banker are the following.


TeaBot sends the list of installed apps to verify if the infected devices had one or more targeted apps already installed. When TeaBot found one of them, it downloads the specific payload to perform overlay attacks and starts tracking all the activity performed by the user on the targeted app. That information is sent back to the assigned C2 every 10 seconds.


One of the particularities of TeaBot is the capability of taking screenshots to constantly monitor the screen of the compromised device. When the C2 sends the “start_client” command with an IP address and PORT, it starts requesting the images and TeaBot starts a loop in which creates a “Virtual Screen” for taking screenshots.

Overlay attack:

A malicious application/user is somehow able to perform actions on behalf of the victim. This usually takes the form of an imitation app or a WebView launched “on-top” of a legitimate application (such as a banking app).”

Geographical distribution of banks currently targeted by TeaBot

Be aware of the situation and take the necessary steps to safeguard your environment!

Also Read

Top 12 Security Flaws Exploited by Russian Hackers to Target Organisations Globally

WeSteal: A Cryptocurrency-Stealing Malware that Sold in Dark Web Markets

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Novel Chinese Browser Injector Lets Hackers Intercept Web Traffic

Hackers exploit browser injectors to manipulate web content, steal sensitive information, and hijack user sessions.…

10 hours ago

MediSecure Data Breach: 12.9 Million Australian Users’ Sensitive Data Hacked

In one of the largest cyber breaches in Australian history, MediSecure, a former provider of…

12 hours ago

Cybercriminals Heavily Preparing For 2024 Paris Olympic Games Based Attacks

Major sporting events with massive online audiences, like the World Cup and Olympics, have become…

12 hours ago

BadPack APK Malware Using Wired Trick to Attack Users & Stay Undetected

Hackers often exploit the APK packers to hide malicious codes within Android applications. This will…

13 hours ago

New VPN Port Shadow Vulnerability Let Hackers Intercept Encrypted Traffic

Researchers examined how connection tracking, a fundamental function in operating systems, can be exploited to…

13 hours ago

INTERPOL Taken Down West African Organized Crime Groups

Operation Jackal III has successfully targeted West African organized crime groups, including the notorious Black…

15 hours ago