Fraud Alert: TeaBot, the new malware for Android: beware of bank fraud

Fraud Alert: TeaBot, the new malware for Android: beware of bank fraud

 

Fraud Alert – Is the perfect place to read about new scams released by scammers. Learn about bank fraud & bank fraud detection, plus, beware of the new TeaBot Bank Fraud Trojan which scams your account details! Check new Fraud Alerts & easily avoid bank fraud.

Fraud Alert reports, a new banking Trojan nicknamed TeaBot has been discovered which, disguising itself behind legitimate apps, spies on users and steals their credentials to access banking services in half of Europe, including Italy. Here are all the details and tips to defend against this threat.

 

TeaBot is the name of the new bank fraud trojan for Android that has been targeting users across Europe since the beginning of the year by hijacking their login credentials and SMS messages to facilitate fraudulent activities against banks in Italy, Spain, Germany, Belgium, and the Netherlands.

Once successfully installed on the victim's device, TeaBot allows attackers to obtain a live stream of the screen and interact with the device itself using the Android accessibility services.

 

Fraud Alert - TeaBot was discovered by Cleafy's Threat Intelligence and Incident Response (TIR), Italian cyber security and online fraud Prevention Company that has currently identified more than 60 banks as malware targets.

 

TeaBot's goals

TeaBot: the technical characteristics

TeaBot: indicators and chain of infection

How does communication with the C2 server take place?

How to protect yourself from Android banking Trojans

TeaBot's goals

 

Fraud Alert - In particular, in its report, the Cleary TIR noted that from an in-depth analysis of a new wave of samples detected in March 2021, for the first time, multiple payloads towards Italian and German banks. Instead, the inclusion of malicious injections against Belgian and Dutch banks was only detected at the beginning of May.

 

Business email

 

Allows the sending of promotional communications relating to the products and services of third parties concerning the Joint Controllers who belong to the manufacturing, services (in particular ICT), and trade branch, with automated and traditional contact methods by the third parties themselves, to whom the data are communicated.

 

Fraud News - Furthermore, other evidence would show that the malware possesses multilingual support including English and French as well as Spanish, Italian, German, and Dutch.

 

 

Geographical distribution of the banks currently targeted by TeaBot!

 

TeaBot: the technical characteristics

 

Fraud News - TeaBot, despite being in the early stages of development (as evidenced by some irregularities found during the analysis), would be equipped with some features that abuse Android accessibility services with characteristics common to other well-known mobile Trojans created for fraud:

 

Remote control of target devices

The theft of 2FA codes (double authentication);

The sending and interception of SMS messages;

Bank data infiltration;

Disabling Google Protect

 

Fraud Alert: More precisely, among the main characteristics observed during the analysis of the samples, the researchers would have identified features of:

 

keyloggers (similar to those already found in the EventBot bank fraud Trojan, even if, unlike the latter, they only track the presence of some targeted apps, thus generating less traffic in C2 communication);

Screenshots (to capture images to constantly monitor the screen of the compromised device);

Overlay (known technique and already implemented on the notorious Android Trojans Anubis, Cerberus, and Alien and which consists in imitating an app or superimposing a Web View on a legitimate application).

 

Some of the TeaBot commands detected during the technical analysis carried out by the Cleary TIR are summarized below:

 

ask_syspass: show a biometric authorization popup;

Ask perms: ask users for permissions;

change_pass: shows a warning message informing the user to update the password;

get_accounts: get accounts from Android settings;

kill_bot: remove itself;

mute_phone: allows you to mute the device sound;

open_inject: executes the overlay attack, starting the injection;

start_client: defines an IP address and a port number to be used to observe the compromised device via screenshots;      

swipe_down: simulates swiping gestures on the screen;

grab_google_auth: opens and gets the codes in the Google Auth app;

activ_screen: enable device screen control.

TeaBot: indicators and chain of infection

Fraud News - The TeaBot developers have used, to make reverse engineering more difficult, anti-analysis techniques already used by other similar malware for fraud for bank fraud, such as the use of "junk code", the encrypted XOR even if partial and a divided infectious chain in two stages in which the actual app acts as a dropper that dynamically loads the actual payload (.dex) in a second stage.

 

Icons of some of the apps TeaBot uses to disguise itself.

 

Fraud Alert - Furthermore, when the malicious app is downloaded to the device (according to the researchers, the app would have been served over time with different names such as TeaTV, VLC MediaPlayer, Mobdro, DHL, UPS, bpost and in similar ways to those used in recent campaigns Flubot), TeaBot also tries to hide from the user, preventing its detection and ensuring its persistence, installing itself as a service in the background and establishing, from the beginning, a silent communication with its command and control server C2 (185.215.113 [ .] 31, kopozkapalo [.] Xyz, sepoloskotop. Xyz, 178.32.130 [.] 170).

 

Subsequently, to perform the malicious operations for which it was programmed, TeaBot requires specific Android permissions to intercept and observe the user's actions, retrieve sensitive information and execute arbitrary commands such as displaying the authorization popup "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS ".

 

Bank Fraud - Only at the end, after successful installation, the malware proceeds to remove its icon from the device, in an attempt to reduce the possibility of further identification by the user.

 

Screenshots are taken during the installation of TeaBot disguised as the VLC MediaPlayer app.

 

How does communication with the C2 server take place?

 

From the analysis conducted on the network communication that the TeaBot malware establishes with its C2 server, the security team has identified three main types of communication defined through the appointed bees respectively:

 

when the configuration is updated ("bot update", every 10 seconds Teabot sends a POST request with information relating to the compromised device and encrypted using the XOR algorithm with a common key "66");

Fraud News - The retrieval of the list of targeted apps (“get keyloggers”, every 10 seconds Teabot makes a GET request);

upon code injection concerning the detected target apps ("getbotinjects", Teabot during the first infection phase sends with a POST request a JSON record, not encrypted, containing the name of the package installed on the compromised device based on which it will receive an answer the related injections).

 

How to protect yourself from Android bank fraud Trojans

 

Bank Fraud - As stated by the same researchers, TeaBot, similar to the Android malware Oscorp, tries to achieve real-time interaction with compromised devices, to execute an ATO (Bank Account Takeover) attack scenario by simply abusing the services of Android accessibility to fraudulently acquire control of new devices which enables their scams to work.

 

Fraud Alert: Therefore, to protect yourself from the increasingly rampant threats in the mobile environment related to the countless variants of banking Trojans, it is always advisable to follow at least minimum security measures:

 

Always check the reliability of the apps used, comparing with the related customer services;

Check user ratings before downloading a new app;

Rely with caution only on legitimate stores: Google Play is always and in any case a reliable source;

Fraud Alert - Pay attention to the permissions required by the app installation processes, granting them only if you are sure that they are necessary for correct operation;

Fraud Alert - Regularly scan your mobile device for the latest threats with up-to-date antivirus systems;

Fraud Alert - Always keep your Android operating system updated with updates and security patches released periodically.