As we've already discussed in previous articles, mobile phones are not free from banking trojans. This time we are going to be talking about a trojan for Android that was discovered by the Threat Intelligence and Incident Response (TIR) team at Cleafy in January 2021. This new trojan is called TeaBot and seems not to be related to any known family of banking trojans.
The samples collected between the months of May and June are focused on committing fraud against at least 60 banks in Europe, including banks in Italy, Spain, Germany, Belgium, Switzerland and the Netherlands.
Basic analysis of the last sample found. Source: https://analyze.intezer.com/
This is a banking trojan with RAT (Remote Access Tool/Remote Access Trojan) capabilities, allowing the attacker to remotely access and control devices. The main functionality of this trojan is that of extracting information related to online banking.
The trojan disguises itself as a legitimate application. Ever since it first appeared, the name of the application has changed several times. Initially the app was called TeaTV, but later it became MediaPlayer, Mobdro tv, DHL, UPS and Bpost.
Evolution of the changing applications that contain TeaBot.
Once it is active on the Android device, it allows attackers to obtain a live broadcast of the device's screen and to interact with it through the accessibility services provided by the system. It can also send, receive and hide SMS messages, enable keylogging functionalities, as well as steal Google authentication codes.
If Android's accessibility services are disabled, the malware harasses the user with pop-up windows that try to get the user to click on them to enable these services. In addition, it overlays fake login screens of banking applications to achieve its goal: gain access to credentials and credit card information.
Evidence Found in Static Analysis
In the static analysis of various samples of the trojan carried out by the Cleafy team, the names of the applications mentioned above were extracted and they discovered that the use of these applications employed the same decoy used by the FluBot/Cabassous banking trojan, which we already published a report on back in April.
From the AndroidManifest file, a list of permissions obtained by TeaBot has been found that allow:
- SMS messages to be sent and intercepted. Online banking usually sends SMS messages to confirm bank movements such as transfers or payments.
- The phone's calendar and status to be read.
- Information to be collected on biometric measurements that, on the other hand, allow actions to be confirmed in many banking applications.
- The audio settings to be edited to mute the device.
- Installed applications to be deleted.
- and those that we have already talked about before such as taking advantage of Android accessibility services and displaying pop-up windows.
As for TeaBot's behavior, it uses a keylogger functionality to steal banking credentials. This behavior has also been observed in another banking trojan called EvenBot. But while EvenBot tracks any application, TeaBot only does so with the specific applications of the banking entities it is interested in. In this way, it generates less traffic between the command and control center (C&C).
Interaction graph of TeaBot with other trojans and keyloggers
In its first communications with the C&C, TeaBot sends the list of applications installed on the device to verify if any of them is one of the ones it needs to be able to download the payload. It is with this payload that overlay attacks are carried out and it is the one that tracks user activity in the banking application. All the information that is collected is sent back to the C&C every 10 seconds.
TeaBot is a banking trojan for Android discovered in January 2021. Currently its activity targets European banks. Ever since its discovery, it appears to have been using different applications to download its payload and achieve its goal. In the spotlight are: the credentials of online banking users, the biometric information stored on the devices, the control of SMS messages and the audio of the Android device to be able to confirm transactions.
It has also been seen to copy the behaviors of other banking trojans such as FluBot and EvenBot, so it's important to remain alert and continue investigating this trojan since it has been able to collect information from a large number of users in just a few months.