A new Android malware named “TeaBot” or “Anatsa” has been spreading across European countries since January 2021. It is targeting banks in five European countries by stealing the information through credentials and SMS messages.
Since January, The TeaBot’s malicious activities are being noticed by cybersecurity researchers. Until now it has targeted the banks of five European Countries including;
5. the Netherlands
At the end of March 2021, TeaBot started attacking the financial apps. And now it is gradually getting on a peak with more malicious attacks from the 1st week of May, but this time Banks are the victims of this malware.
TeaBot carries out frauds against well-established banks through users’ credentials and SMS messages. So its main objective is to steal the users’ data and information. And from that information proper planned frauds are being outlined by the threat actors.
First, the malware gets installed into the device of the user, then it starts working in a duo. It stacks a payload and then compelled the user to allow accessibility service permission. TeaBot gets hold of live streaming of the screen of the device and then through accessibility service, links with it.
Media and Package delivery services such as TeaTV, VLC Media Player, DHL, and UPS get copied by the malware. Italian cybersecurity, and online fraud prevention firm stated that;
“The main goal of TeaBot is stealing victim’s credentials and SMS messages for enabling frauds scenarios against a predefined list of banks, Once TeaBot is successfully installed in the victim’s device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Services.”
After getting the access, it directly interconnects itself with the targeted device. From there to get the Passcodes and all the information of the credit card, it starts its activities which include;
- Taking screenshots
- Recording keystrokes
- Most importantly on the login screen of the banking apps, inlaying its malicious swathe.
After every 10 seconds, All the gathered data is transferred to a remote server controller by the threat actor.
The malware is extremely dangerous, it leaves no space for the security alert as it ruins all the options of the safety measures. Google Play Protect, intercept SMS messages, and access Google Authenticator 2FA codes, etc impaired by TeaBot.
TeaBot has adopted the accessibility service technique like Flubot. It attacks the banking apps and enables itself to hide from the detection. For sneaking information, accessibility service is now being deployed in Android malware in large amounts.
Again, users are being guided and warned by the security researchers to stay alert and not to become a victim of these cybercrimes. Even in the last month countries like Germany and UK warned the people about Flubot Infections.
People are repeatedly informed to stay aware of the fake SMS messages and not open the malicious links. As they could lead you to install the spyware that can extract all the data of your device.