TeaBot Android Malware Focuses on Stealing Financial Data

Android malware is becoming a more and more common occurrence since the majority of people are relying on their mobile devices for all kinds of payments, communication, and two-factor authentication. This gives cybercriminals the opportunity to easily hijack valuable information by planting Android malware. Their task becomes even easier because of the fact that the majority of users still underestimate the importance of protecting their mobile device from malware – nowadays, investing in reputable Android antivirus software is a must.

The latest malicious implant to go after Android devices is the Teabot Malware, and, so far, its attacks have targeted users in Europe. Spanish, German, Italian, Belgium, and Dutch users are just some of the groups that the Teabot Malware operators go after.

Teabot operates like a banking Trojan and cybersecurity researchers state that it can use phishing overlays and fake messages/pop-ups for over 60 different banks and financial institutions active in the aforementioned countries. There is no clear information about the methods used to spread the Teabot Malware, but it is likely that its victims get infected via:

• Cracked APK packages downloaded from shady sources.
• Fake downloads promoted through social media, text messages, or ads.
• Malicious email attachments.
• Downloads from non-trustworthy sources.

Two basic security tips that you can follow to make your Android device impenetrable by malware are – using a reputable anti-malware app, and only downloading apps from the official Google Play app.

Once the Teabot Malware is up and running, it may disguise itself temporarily under various names like Android Service, DHL, UPS, bpost, VLC Media Player, or Mobdro. It then demands to receive permission to use Android accessibility services, which is a common strategy that Android malware families employ to get control over the compromised device. If these permissions are granted, Teabot Malware proceeds to delete its icons from all menus, therefore minimizing the chance that the user will notice anything out of the ordinary.

Once the implant is active, it starts monitoring the user's activities and checking the names of opened apps and browser tabs – if it notices that the user is trying to access one of the supported banking portals, it will automatically show a fake overlay on top of the official page. Login credentials entered there are submitted to the attacker's server in plain text. The Teabot Malware can also intercept incoming text messages and hide the notifications from the user, so it makes it possible for the criminals to bypass two-factor authentication.

The Teabot Malware is very similar to the Flubot Android malware family, and experts suspect that the same organization might be behind both of these campaigns. Protect your device immediately by installing and activating a reputable Android antivirus app.