A brand new fashionable and big android banking trojan was found and analyzed by Cleafy known as TeaBot. This Teabot steals the sufferer’s credentials and SMS messages for enabling fraud situations in opposition to a predefined listing of banks.
Options of TeaBot:
TeaBot is featured with the next potential:
- Potential to carry out Overlay Assaults in opposition to a number of banks functions to steal login credentials and bank card data
- Potential to ship / intercept / conceal SMS messages
- Allow keylogging functionalities
- Potential to steal Google Authentication codes
- Potential to acquire full distant management of an Android machine (through Accessibility Companies and real-time screen-sharing)
TeaBot – In-depth Evaluation
TeaBot was initially named “TeaTV” however the app identify was modified to “VLC MediaPlayer”, “Mobdro”, “DHL”, “UPS” and “bpost” just lately.
The primary permissions achieved by TeaBot permit to:
- Ship / Intercept SMS messages
- Studying cellphone e book and cellphone state
- Use machine supported biometric modalities
- Modify audio settings (e.g. to mute the machine)
- Reveals a popup on high of all different apps (used throughout the set up section to drive the consumer to simply accept the accessibility service permissions)
- Deleting an put in software
- Abusing Android Accessibility Companies
TeaBot important options
The primary options noticed throughout the evaluation of the banker are the next.
TeaBot sends the listing of put in apps to confirm if the contaminated gadgets had a number of focused apps already put in. When TeaBot discovered one in every of them, it downloads the precise payload to carry out overlay assaults and begins monitoring all of the exercise carried out by the consumer on the focused app. That data is shipped again to the assigned C2 each 10 seconds.
One of many particularities of TeaBot is the aptitude of taking screenshots to continuously monitor the display of the compromised machine. When the C2 sends the “start_client” command with an IP deal with and PORT, it begins requesting the pictures and TeaBot begins a loop during which creates a “Digital Display” for taking screenshots.
A malicious software/consumer is someway in a position to carry out actions on behalf of the sufferer. This normally takes the type of an imitation app or a WebView launched “on-top” of a official software (similar to a banking app).”
Pay attention to the state of affairs and take the mandatory steps to safeguard your surroundings!