Toddler: Credential Theft through Overlays and Accessibility Event Logging
Toddler is a new banking malware for Android, detected for the first time in January 2021. The technique for stealing banking credentials is still the same as that used by other families of banking malware for Android.
Phishing web injections displayed as overlays as soon as the launch of the affected banking application is detected is the main strategy for stealing the banking credentials of its victims. Thus, the malware operators trick the user into believing that the login window that appears actually corresponds to the legitimate application.
In addition to the theft of credentials through phishing overlays, Toddler also implements the theft of credentials through the log of accessibility events, specifically those related to the changes that occur in the text fields that are displayed on the login interface.