blog

Android Users Need To Watch Out For Teabot Trojan

Written by Securafy Team | Mar 15, 2022 3:00:00 PM

If you have smart devices in the Android ecosystem, there's a new threat to be aware of in the form of a malware strain called Teabot.  This bit of malicious code is a Remote Access Trojan or RAT for short. The group behind the code is making a big push to see it spread worldwide.

Researchers from Cleafy can confirm that the malware targets more than 400 different applications and the folk behind the code have begun to pivot away from their initial tactic of "smishing."

Smishing, if you're not familiar with the term, is a tactic used to compromise a mobile device via spam text messages that contain poisoned links.  If a recipient clicks on one of these links, they're taken to a site controlled by the hackers and the malware is installed on the user's computer in the background.

This bit of code emerged near the beginning of 2021. Back then, in its earliest incarnations it was known as Toddler/Anatsa.

In its primitive form, it was distributed exclusively via smishing and only had a list of sixty lures.  Granted they were big well-known lures like VLC Media player and DHL shipping but there were only sixty of them.

By July of last year, the owners of the malicious code had modified it to strike at dozens of banks based all over Europe. In the months that followed, at least 18 banks fell victim to Teabot attacks.

More recently, the malicious code has undergone additional changes. The malware has migrated from Europe spreading to Russia, the US, Hong Kong, and beyond.  In addition to that, it's no longer targeting banks exclusively but cryptocurrency exchanges and digital insurance providers as well.  Even worse is that in at least one case Teabot has managed to infiltrate official Android repositories via dropper apps.

In terms of how big a problem this is, here is how it goes. Once Teabot is installed on a target system it can primarily log keystrokes and take screenshots. Then it can exfiltrate them to the malware's controllers which means that in short order any site you log onto using your phone can quickly be compromised.

Stay vigilant out there.  It's still early in the year and Teabot will certainly not be the last threat we face.