At the beginning of January 2021, a new Android banking trojan was discovered and analyzed by our Threat Intelligence and Incident Response (TIR) team. We decided to dub this new family as TeaBot since it seems to not be related to any known banking trojan family
The main goal of TeaBot is stealing victim’s credentials and SMS messages for enabling frauds scenarios against a predefined list of banks (more than 60 targeted banks were extracted)
Once TeaBot is successfully installed in the victim’s device, attackers can obtain a live streaming of the device screen (on demand) and also interact with it via Accessibility Services
On 29th March 2021, we detected for the first time the inclusion of injections against Italian banks
Also, at the beginning of May 2021, we detected for the first time also the inclusion of injections against Belgium and Netherlands banks
At the time of writing, TeaBot appears to be at its early stages of development according to some irregularities found during our analysis
For the sake of completeness, after our investigation we noticed that the name ‘Anatsa’ is also used for tracking this malware family
At the beginning of January 2021, a new Android banker started appearing and it was discovered and analysed by our Threat Intelligence and Incident Response (TIR) team.
Since lack of information and the absence of a proper nomenclature of this Android banker family, we decide to dub it as TeaBot to better track this family inside our internal Threat Intelligence taxonomy.
TeaBot appears to have all the main features of nowadays Android bankers achieved by abusing Accessibility Services such as:
Ability to perform Overlay Attacks against multiple banks applications to steal login credentials and credit card information
Ability to send / intercept / hide SMS messages
Enabling key logging functionalities
Ability to steal Google Authentication codes
Ability to obtain full remote control of an Android device (via Accessibility Services and real-time screen-sharing)
Thanks to an in-depth analysis of a new wave of samples detected at the end of March 2021, we found, for the first time, multiple payloads against Italian banks.
Also, TeaBot appears to be at its early stages of development according to some irregularities found during our analysis, but developers have already included multi-languages support according to some textual references found (e.g. Spanish, Italian, German, etc.).
We assume that TeaBot, similar to Oscorp, is trying to achieve a real-time interaction with the compromised device combined with the abuse of Android Accessibility Services bypassing the need of a “new device enrollment” to perform an Account Takeover scenario (ATO).
TeaBot – Static Analysis
From the AndroidManifest file the following indicators were extracted:
Initially, the app name used by the malicious app was “TeaTV” however during the last month the app name was changed to “VLC MediaPlayer”, “Mobdro”, “DHL”, “UPS” and “bpost”, the same decoy used by the famous banker Flubot/Cabassous
The main permissions achieved by TeaBot allow to: o Send / Intercept SMS messages o Reading phone book and phone state o Use device supported biometric modalities o Modify audio settings (e.g. to mute the device) o Shows a popup on top of all other apps (used during the installation phase to force the user to accept the accessibility service permissions) o Deleting an installed application o Abusing Android Accessibility Services
TeaBot, like other bankers, uses multiple techniques to slow down analysts, such as:
The malicious application acts as dropper and dynamically loads a 2nd stage (.dex) where all the malicious code resides
Usage of “Junk Code”
Network communications are partially encrypted using XOR algorithm
Furthermore, both the partial network encryption and the presence of some not-working injections and commands (or in some cases a lack of injections for specific targeted banks) suggest to us that the TeaBot is still under development.
At the same time, a couple of interesting changes were detected:
In January 2021, TeaBot was focused only on Spanish banks
In March 2021, new samples of TeaBot appeared with also German and Italian banks as targets for the first time. Also, TeaBot is currently supporting 6 different languages (Spanish, English, Italian, German, French and Dutch):
TeaBot main features
The main features observed during the analysis of the banker are the following.
Keylogging: Through the abuse of the Android Accessibility Services, TeaBot is able to observe and track all the information performed by the user on the targeted applications. We observed similar behavior also in another banker called EventBot, but with the difference that EventBot tracks any apps while TeaBot tracks only targeted apps, therefore less traffic is generated between the banker and the C2. TeaBot, during its first communications with the C2, sends the list of installed apps to verify if the infected devices had one or more targeted apps already installed. When TeaBot found one of them, it downloads the specific payload to perform overlay attacks and starts tracking all the activity performed by the user on the targeted app. Those information are sent back to the assigned C2 every 10 seconds.
Screenshots: One of the particularities of TeaBot is the capability of taking screenshots to constantly monitor the screen of the compromised device. When the C2 sends the “start_client” command with an IP address and PORT, it starts requesting the images and TeaBot starts a loop in which creates a “VirtualScreen” for taking screenshots.
Overlayattack: “The Overlay attack is a well-known technique implemented on modern Android banking trojans (e.g. Anubis, Cerberus/Alien) which consist of a malicious application/user somehow able to perform actions on behalf of the victim. This usually takes the form of an imitation app or a WebView launched “on-top” of a legitimate application (such as a banking app).”
See Appendix 1 - Geographical distribution of banks currently targeted by TeaBot for an overview of targeted apps.
Other features: TeaBot has other features quite common to other known Android bankers such as:
disabling Google Protect
sending / intercepting / hiding SMS messages
stealing other accounts from the Android Settings and Google Authentication 2FA codes
simulating gestures and clicks on the screen (via Accessibility Services).
When the malicious app has been downloaded on the device, it tries to be installed as an “Android Service”,which is an application component that can perform long-running operations in the background.
This feature is abused by TeaBot to silently hide itself from the user, once installed, preventing also detection and ensuring its persistence.
Furthermore, during the installation phases, TeaBot starts communicating with its C2 server in the background.
After the installation TeaBot will request the following Android permissions, which are mandatory to perform its malicious behavior:
Observe your actions Used to intercept and observe the user action
Retrieve window content Used to retrieve sensitive information such as login credentials, SMS, 2FA codes from authentication apps, etc.
Perform arbitrary gestures TeaBot uses this feature to accept different kinds of permissions, immediately after the installation phase, for example the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission popup.
Once the requested permissions have been accepted, the malicious application will remove its icon from the device.
During its first communications, TeaBot sends the list of installed apps to verify if the infected devices had one or more targeted apps already installed. When one or more targeted applications are found, the C2 sends the specific payloads to the device.
By analyzing TeaBot network communications, it was possible to group them into the following three main types:
[C2-URL]/api/botupdate: every 10 seconds TeaBot sends a POST request with all the information about the compromised device (Figure 8) (e.g. name of the SMS manager app installed, captured injects, passwords found etc.). Those communications are the only one encrypted with the XOR algorithm using the same key across multiple TeaBot samples (“66”). The response is typically composed by a configuration update (e.g. C2 addresses, command launched, etc.)
[C2-URL]/api/getkeyloggers: every 10 seconds TeaBot performs a GET request to retrieve the list of the apps targeted by the key logger functionality
[C2-URL]/api/getbotinjects: a POST request is made by TeaBot during its first stage of infection with a JSON file (not encrypted) containing all the package name installed on the compromised device. With this information, TeaBot is able to know if there is one or more targeted apps and download the related injection(s).
Appendix 1: Geographical distribution of banks currently targeted by TeaBot
Appendix 2: TeaBot commands
The following table will summarize the list of all the commands found in TeaBot during the technical analysis:
app_delete : Delete an application from the package name
ask_syspass : Show a biometric authorization popup
ask_perms : Request permissions to the users
change_pass : Show a toast message (small popup) that inform the user to update the password (lock pattern)
get_accounts : Get the accounts in Android settings
kill_bot : Remove itself
mute_phone : Mute the device
open_activity : Open an application from the package name
open_inject : Perform the overlay attack, opening the injection (html payload)
reset_pass : Under development
start_client : Define an IP and PORT used to observe the compromised device through screenshots
swipe_down : Used to perform gesture like swipe on the screen
grab_google_auth : Open and get the codes in Google Auth app
activate_screen : Enable the screen. TeaBot has the ability to control the device’s screen (e.g. The banker is able to keep screen from dimming)