TeaBot, a highly sophisticated type of malware, is increasingly infecting Android smartphones. Cybersecurity firm Zscaler’s ThreatLabz reported a sharp rise in malicious activity leveraging TeaBot this week.
TeaBot, also known as “Anatsa,” is designed to impersonate seemingly harmless applications such as PDF and WR code readers. Once installed on an Android smartphone, it acts as a Trojan horse containing numerous financial scams.
“[TeaBot] is a known Android banking malware that targets applications from over 650 financial institutions, primarily in Europe. We observed Anatsa actively targeting banking applications in the US and UK. However, recent observations indicate that threat actors have expanded their targets to include banking applications in Germany, Spain, Finland, South Korea, and Singapore,” explains Zscaler ThreatLabz.
Zscaler’s researchers have observed two fake Android applications recently used to deploy TeaBot: a PDF reader app called ‘PDF Reader & File Manager’ and a QR code reader app called ‘QR Reader & File Manager.’ On the Google Play Store, the former’s front-end developer name appears as ‘TSARKA Watchfaces’ and the latter’s as ‘risovanui’.
TeaBot collects fiscal data without users’ knowledge
Both applications have already successfully duped over 70,000 smartphone users into downloading the highly weaponized applications. Once installed, the malicious app exfiltrates sensitive banking credentials and financial information from global financial applications, which allows it to intercept and collect data discreetly without users’ knowledge.
“Although it is not one of the most used Android Trojans, TeaBot is one of the most sophisticated ones in the wild,” says Zscaler.
The researchers add that the recent campaigns conducted by threat actors deploying the banking trojan highlight the risks faced by Android users who have already unwittingly downloaded these malicious applications from the Google Play store.
While Google Play Store is typically considered to be one of the safest sources for users to find and install Android apps, cybercriminal gangs are now using Google’s virtual marketplace to successfully upload dangerous apps laced with malware to the Google Play Store. The Zscaler ThreatLabz team recently discovered weaponized apps involving the Joker, Facestealer, and Coper malware families that were also available on the Google Play store.
