Threat experts warn Android users of a new strain of malware designed to steal user credentials, passwords and take complete control of Android devices for financial fraud.
What is Happening?
Monday, The Hacker News reported that cybersecurity researchers had identified a new threat to Android phone users. The malware Trojan steals user credentials, spies on SMS messages, and perpetrates fraud against banks in Spain, Italy, Belgium, Germany, and the Netherlands.
The new malware is called “TeaBot“ (or Anatsa) and started targeting financial institutions in late March 2021. Early May saw a rush of infections that involved Belgium and Netherland banks. Experts trace the malware back to the beginning of January.
How Does TeaBot Work?
The Hacker News explains,
“The main goal of TeaBot is stealing victim’s credentials, and SMS messages for enabling fraud scenarios against a predefined list of banks,” Italian cybersecurity, and online fraud prevention firm Cleary said in a Monday write-up. “Once TeaBot is successfully installed in the victim’s device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Services.”
The malicious Android application impersonates other legitimate apps to remain undetected. Some examples include VLC Media Player, UPS, DHL, and TeaTV. When installed, the program “acts as a dropper that not only loads a second-stage payload but also forces the victim into granting it accessibility service permissions, The Hacker News explains.”
The final stage of infection allows the hacker to remotely control the device in real-time. Once they have achieved full control, they can take screenshots, intercept SMS messages, and inject “malicious overlays on top of login screens of banking apps to steal credentials and credit card information.”
Although in its first iteration, TeaBot is also capable of evading detection by disabling Google Play Protect. Even more alarmingly, the program can access Google Authentication codes, allowing bad actors to hack into various other Google-related services and user accounts. Threat experts say the malware can exfiltrate data every 10 seconds and copy it to a remote server.
The Hacker News warns that
“Android malware abusing accessibility services as a stepping-stone for perpetrating data theft has witnessed a surge in recent months. Since the start of the year, at least three different malware families — Oscorp, BRATA, and FluBot — have banked on the feature to gain total control of the infected devices.”
How Can Android Users Stay Safe?
Although the Google Play store has in place some safety precautions, there is no guarantee against infections and malicious software getting onto the device. As evidenced with TeaBot, some of these programs can disable those protections and impersonate legitimate apps. Some ways to remain safe and keep your device malware-free are:
Never download software from untrusted sources. Always use the Google Play store but do your research first and make sure you are getting the authentic program. Check out the author, ratings, and other key pieces of information so you know it’s not a ruse.
Install good antivirus/anti-malware software on your device and run deep scans often.
Never click links in email or download attachments.
Watch out for phishing emails.
Verify everything before taking any action.
Never click ads or links in social media or text messages when they come to you unsolicited.
Use common sense, and when you see something that appears to be “too good to be true,” it probably is.
Keep your Android device updated with the latest operating system and security patches.
Update all apps too.
Hackers and cybercriminals are constantly evolving, and you have to be on top of things and aware of the dangers to stay safe.