TeaBot malware tries to spy on banking data on Android devices

[Translate to English:] Gefahrenwarnung zur Schadsoftware TeaBot, die Android-Nutzer angreift

By downloading infected Android apps, users fall into the sights of cybercriminals. German users are also affected. With the help of the malware "TeaBot", the cybercriminals are trying to obtain users' bank data. Find out exactly what the threat is and what you can do.

What happened?

On 12 May, Italian security researchers at Cleafy announced the discovery of a new Android malware called "TeaBot". The malware was first discovered in early January and classified as a banking trojan. TeaBot's main goal is to tap victims' access data and SMS messages in order to enable fraud incidents against a predefined list of banks. Attacks on German banks were first observed at the beginning of May this year.

What risks does TeaBot pose to my business?

Once the malware is successfully installed on the victim's device, the attackers receive a live stream of the affected device's screen. They can also interact with the device through its access services to hijack users' credentials and SMS messages and enable fraudulent activity. The malware is "hidden" in a compromised mobile app that is believed to have been downloaded recently.

Further background on the TeaBot threat

The IT security portal Zdnet describes: "The app was initially called TeaTV, but then kept changing its title to "VLC MediaPlayer", "Mobdro", "DHL", "UPS" and "bpost". Currently, the malware runs under the name "TeaBot". It seems to have all the main characteristics of the new type of Android banking Trojans, which are characterised by the misuse of so-called accessibility services. These Accessibility Servicesallow an application to interact with other apps. Examples would be:

  • Ability to engage in undetected activity in the background.
  • Ability to perform overlay attacks against multiple banking applications to steal credentials and credit card information.
  • Ability to send / intercept / hide SMS messages.
  • Ability to enable key logging features.
  • Ability to steal Google authentication codes.
  • Ability to gain full remote control of an Android device (via Accessibility Services and real-time screen sharing).

As Cleafy researchers discovered, the malware has three main functions:

  • Keylogging, i.e. recording all input on the compromised device.
  • Taking screenshots.
  • Overlay attack, whereby the attacker is able to perform actions on behalf of the victim.

What can I do? 

If you are an Android user, pay special attention to the apps on your smartphone. Considering that TeaBot has been "hidden" in compromised apps such as VLC Media Player, TeaTV, DHL and UPS, we recommend checking your phone for the presence of these apps. If you have recently downloaded any of these apps, you should be particularly vigilant - especially if they are not from official sources (e.g. the Play Store or directly from the app provider). A recent attack is difficult to identify. What should make you suspicious is receiving an unusual message with a link to a banking app. Also, keep an eye on the payments on your company account. This can be done, for example, by sending an e-mail/message informing you of every transaction that has been made. This service can usually be set up in your bank's online portal. If you notice unexpected debits on your bank account, you should contact your bank immediately.

The next step should be to install all updates on your Android device. To protect your phone from malware, we recommend avoiding downloading apps from third-party sites and carefully checking which apps you download (including from the Google Play Store). It is also important not to click on links. Especially if you cannot match the numbers or do not expect such messages from a known number.


Any questions?
We are here for you.

Arrange a free consultation with our IT security experts. We look forward to meeting you.

+49 030/95 999 80 80 (Mon - Fri 09:00am - 6:00pm)