A new trendy and massive android banking trojan was discovered and analyzed by Cleafy called TeaBot. This Teabot steals the victim’s credentials and SMS messages for enabling fraud scenarios against a predefined list of banks.
TeaBot is featured with the following potential:
TeaBot was initially named “TeaTV” but the app name was changed to “VLC MediaPlayer”, “Mobdro”, “DHL”, “UPS” and “bpost” recently.
The main permissions achieved by TeaBot allow to:
The main features observed during the analysis of the banker are the following.
TeaBot sends the list of installed apps to verify if the infected devices had one or more targeted apps already installed. When TeaBot found one of them, it downloads the specific payload to perform overlay attacks and starts tracking all the activity performed by the user on the targeted app. That information is sent back to the assigned C2 every 10 seconds.
One of the particularities of TeaBot is the capability of taking screenshots to constantly monitor the screen of the compromised device. When the C2 sends the “start_client” command with an IP address and PORT, it starts requesting the images and TeaBot starts a loop in which creates a “Virtual Screen” for taking screenshots.
A malicious application/user is somehow able to perform actions on behalf of the victim. This usually takes the form of an imitation app or a WebView launched “on-top” of a legitimate application (such as a banking app).”
Be aware of the situation and take the necessary steps to safeguard your environment!
Also Read
Top 12 Security Flaws Exploited by Russian Hackers to Target Organisations Globally
WeSteal: A Cryptocurrency-Stealing Malware that Sold in Dark Web Markets
Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk…
GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…
In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…
Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…
Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…
A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…