Tue, 28 June 2022
The Daily Ittefaq

Beware of malicious Android app ‘TeaBot’

Update : 10 Mar 2022, 18:30

Incidents of cybercrime are increasing rapidly. Meanwhile, a virus has been seen on the Google Play Store, which steals very sensitive data of people and is also reading your messages. It also steals login details from your banking app. As soon as the data is leaked, the money kept in your account can be at risk and your account can be empty. Also, steal your personal information, password present in the phone.

An android malware called teabot designed to steal user data like passwords and text messages was found in google play. The malware was first discovered in early January and classified as a banking trojan. TeaBot's main goal is to tap victims' access data and SMS messages in order to enable fraud incidents against a predefined list of banks. Attacks on German banks were first observed at the beginning of May this year.

This dangerous Android banking malware ‘TeaBot’, which steals banking details by entering it through Google Playstore in mobile user’s phone, has been downloaded thousands of times. One such Trojan has been identified, which was present on the Google Play Store.

If this dangerous app present in your smartphone, then uninstall it from the phone immediately. A security firm said that the remote access trojan has been downloaded from Google Play. Which steals users’ passwords, text messages and other confidential data. The malware is "hidden" in a compromised mobile app that is believed to have been downloaded recently.

The IT security portal Zdnet describes: "The app was initially called TeaTV, but then kept changing its title to "VLC MediaPlayer", "Mobdro", "DHL", "UPS" and "bpost". Currently, the malware runs under the name "TeaBot". It seems to have all the main characteristics of the new type of Android banking Trojans, which are characterised by the misuse of so-called accessibility services. These Accessibility Servicesallow an application to interact with other apps.

TeaBot, which appeared in 2021 is an Android malware that is spreading through Google’s official app market. Usually, the company removes the information about such dangerous apps from the Google Play Store as soon as it is received. But it is getting difficult to recognize this app. Security firm Cleafy reports that Teabot is back. This time this Trojan is spreading through a malicious app called QR Code and Barcode Scanner. Cleary Researcher has informed Google about this app. But no response has come from Google about this at the moment. But if this app is present in your phone, then remove it immediately.

There has been a 500 percent increase in Teabot attacks in less than a year. In recent months, Teabot has sent custom messages to infected phones in new languages, including Russian, Slovak and Mandarin Chinese. The new Trojan provides users with fake updates. After this, the accessibility permission of the device is taken during the installation process. This includes permissions for the View and Control screens. Through which hackers gain access to sensitive information such as login credentials, SMS, 2FA codes.

According to a report by online fraud management and prevention solutions provider Clifi, TeaBot is being sent through campaigns by TTV, VLC media player, DHL and UPS smishing.

During the last months, TeaBot has also started supporting new languages, such as Russian, Slovak and Mandarin Chinese, useful for displaying custom messages during the installation phases.

On February 21, the Cleafy Threat Intelligence and Incident Response (TIR) team discovered an application published on the official Google Play Store, which was acting as a dropper application delivering TeaBot with a fake update procedure.

However, once downloaded, the dropper will request an update immediately through a popup message.

Unlike legitimate apps that perform the updates through the official Google Play Store, the dropper application.

Once the users accept to download and execute the fake “update", TeaBot will start its installation process by requesting the ‘Accessibility Services’ permissions in order to obtain the privileges needed.

The IT security portal Zdnet describes: "The app was initially called TeaTV, but then kept changing its title to "VLC MediaPlayer", "Mobdro", "DHL", "UPS" and "bpost". Currently, the malware runs under the name "TeaBot". It seems to have all the main characteristics of the new type of Android banking Trojans, which are characterised by the misuse of so-called accessibility services. These Accessibility Servicesallow an application to interact with other apps. 

How to remove the TeaBot malware 

If you are an Android user, pay special attention to the apps on your smartphone. Considering that TeaBot has been "hidden" in compromised apps such as VLC Media Player, TeaTV, DHL and UPS, we recommend checking your phone for the presence of these apps. If you have recently downloaded any of these apps, you should be particularly vigilant - especially if they are not from official sources (e.g. the Play Store or directly from the app provider). A recent attack is difficult to identify. What should make you suspicious is receiving an unusual message with a link to a banking app. Also, keep an eye on the payments on your company account. This can be done, for example, by sending an e-mail/message informing you of every transaction that has been made. This service can usually be set up in your bank's online portal. If you notice unexpected debits on your bank account, you should contact your bank immediately.

The next step should be to install all updates on your Android device. To protect your phone from malware, we recommend avoiding downloading apps from third-party sites and carefully checking which apps you download (including from the Google Play Store). It is also important not to click on links. Especially if you cannot match the numbers or do not expect such messages from a known number.

More on this topic

Elon Musk: Billionaire's daughter cuts ties with her father

SpaceX fires workers behind letter criticising Musk

Google ordered to pay up in defamation case

Musk accuses Twitter of withholding data, says may withdraw bid

More on this topic

Meta bans employees from talking about abortion at work

Snapchat steps up its own collaborative content

Protect yourself from Bluetooth hackers

Elon Musk says Twitter legal team told him he violated an NDA