The Remote Access Trojan (RAT) TeaBot has received updates that have led to an increase in the number of its victims around the world.
Earlier this week, the Cleafy research team reported that TeaBot is now attacking more than 400 applications and has abandoned smishing (a type of phishing via SMS) in favor of more advanced techniques.
When TeaBot first appeared in early 2021, it was distributed via phishing SMS and posed as only 60 applications, including TeaTV, VLC Media Player, DHL and UPS. In July 2021, the malware was configured to attack the applications of dozens of European banks.
Then TeaBot went beyond Europe and began attacking users in Russia, the USA and Hong Kong. The list of applications under which he disguised himself has also expanded, in particular, cryptocurrency exchanges and insurance companies have been added to it.
According to Cleafy experts, the malware has also learned to penetrate the official Android repositories through dropper applications. Last month, experts discovered a QR Code & Barcode Scanner app on Google Play that delivered TeaBot to users’ devices via fake updates.
Malware developers often publish a legitimate application to the official repository, pass all security checks, and after it has gained a solid user base, deploy an update that turns a harmless application into a malicious one.
After installation on the device, TeaBot first uses the Android Accessibility service, requesting permissions for actions that allow it to record keystrokes and remotely hack the device. Moreover, TeaBot is able to take screenshots and monitor the screen in order to steal credentials and two-factor authentication codes.