Online bank accounts are not the only services of interest the malicious program can steal log-in credentials of other accounts/platforms through the Android Settings and Google Authentication 2FA codes. TeaBot can also use its keylogging abilities (i.e., key-stroke recording) to acquire this information even when users sign in or otherwise interact with genuine websites and applications. Therefore, the malware can steal log-in credentials (i.e., IDs, email addresses, usernames, and passwords) as well as credit card numbers - through these fraudulent screens. Also, it targets insurance applications, crypto wallets and crypto exchanges. TeaBot has many heinous functionalities.Īs mentioned in the introduction, this trojan can obtain information by overlaying the screen with fake sign-in windows of certain banking applications. Once the permissions are allowed, TeaBot can use the Accessibility Services to grant itself additional access without user interference (by simulating gestures and touches/clicks). If the Accessibility Services are not enabled, the malware bombards users with pop-up windows that ask permissions for these services. Hence, the Android Accessibility Services have access to what is displayed on the screen, and they can simulate the touchscreen. These services are designed to help users that require additional aid in reading and interacting with their devices. Like many Android-specific RATs, TeaBot uses the Accessibility Services to gain control over devices. Malicious programs of this type can allow for near-limitless control over compromised machines.
TeaBot also operates as a RAT hence, it can enable remote access and control over infected devices. At the time of research, its target list included more than sixty European banks. Its primary functionality is extraction of information related to online banking. This malware targets Android operating systems.
TeaBot is a piece of malicious software categorized as a banking trojan with RAT (Remote Access Tool/Trojan) capabilities.