Threat actors are increasingly using the sophisticated TeaBot Android malware to infect mobile phones, Zscaler has found.
In a new report published on May 27, researchers from Zscaler ThreatLabz observed an uptick in malicious activity leveraging TeaBot, an Android banking Trojan also known as Anatsa.
TeaBot Impersonates PDF and QR Code Reader Apps
TeaBot is a long-established Android banking Trojan with targeted applications from over 650 financial institutions. Threat actors target victims primarily in Europe, but also in the US, South Korea and Singapore.
Although it is not one of the most used Android Trojans, TeaBot is one of the most sophisticated ones in the wild.
TeaBot employs dropper applications that appear benign to users, deceiving them into unwittingly installing the malicious payload, a common tactic for Android banking Trojans.
Zscaler observed two fake Android applications recently used to deploy TeaBot: a PDF reader app called ‘PDF Reader & File Manager’ and a QR code reader app called ‘QR Reader & File Manager.’ On the Google Play Store, the former’s front-end developer name appears as ‘TSARKA Watchfaces’ and the latter’s as ‘risovanui.’
“At the time of analysis, both applications had already amassed over 70,000 installations,” the Zscaler researchers wrote.
A Sophisticated Malware
TeaBot utilizes remote payloads retrieved from command-and-control (C2) servers to carry out further malicious activity.
Once installed, the malicious app exfiltrates sensitive banking credentials and financial information from global financial applications.
It achieves this by using overlay and accessibility techniques, which allow it to intercept and collect data discreetly.
To achieve this, TeaBot performs the following steps:
- The malware utilizes reflection to invoke code from a loaded Dalvik Executable (DEX) file, which contains code that is ultimately executed by the Android Runtime
- The malware performs a series of checks for the device environment and device type designed to detect analysis environments and malware sandboxes
- Upon successful verification, the malware injects uncompressed raw manifest data into the APK and corrupts the compression parameters in the manifest file to hinder analysis
- After the APK is loaded, the malware requests various permissions, including the SMS and accessibility options, and decrypts the DEX file using a static key embedded within the code
- The malware establishes communication with the C2 server to carry out various activities, such as registering the infected device and retrieving a list of targeted applications for code injections
- Upon receiving a list of financial application package names, the malware scans the victim's device to check if any of these targeted applications are installed
- Once the malware identifies the presence of a targeted application, the malware communicates this information to the C2 server. In response, the C2 server provides a fake login page for the banking application
On the victim’s side, some of these actions are disguised as a legitimate application update, tricking victims into believing the application is genuine, while the rest of the actions are happening in the background without the victim's knowledge.
“Threat actors using [TeaBot also] employ various techniques to evade detection including checking for virtual environments and emulators as well as purposely corrupting the APK’s ZIP headers to hinder static analysis of the malware,” the Zscaler researchers concluded.