Teabot

Malware updated 23 days ago (2024-11-29T14:19:35.824Z)

Download STIX

Preview STIX

TeaBot, also known as Anatsa, is a sophisticated malware that has been impacting Android devices. It first emerged as a significant threat in 2022 when it was identified as one of the most active banking malware families alongside Flubot, Sharkbot, and Hydra. TeaBot, along with other notable banking Trojans like BianLian, Cerberus, and Hook, uses a technique called BadPack to infect Android devices without being detected. This method involves utilizing second-stage dropper applications that appear benign to users, thereby tricking them into installing the malicious payload. Unit 42 researchers have observed that many Android banking Trojans, including TeaBot, are increasingly using this stealthy approach. This trend has contributed to the surge in prevalence of Android banking Trojans in recent years. In addition to its stealthy infiltration methods, TeaBot employs various techniques to evade detection such as checking for virtual environments and emulators, and purposely corrupting the APK’s ZIP headers to hinder static analysis of the malware. Furthermore, TeaBot utilizes remote payloads retrieved from command-and-control (C2) servers to carry out further malicious activities. Zscaler ThreatLabz has recently identified two fake Android applications used to deploy TeaBot: a PDF reader app named 'PDF Reader & File Manager' and a QR code reader app named 'QR Reader & File Manager'. On the Google Play Store, these apps are listed under the developer names 'TSARKA Watchfaces' and 'risovanui', respectively. Despite not being the most prevalent Trojan, TeaBot's sophisticated evasion techniques and effective use of seemingly harmless applications make it one of the most potent threats in the wild.

Description last updated: 2024-10-17T12:48:37.604Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Anatsa is a possible alias for Teabot. Anatsa, a sophisticated Android banking trojan, is a malware designed to exploit and damage your device while stealing user financial data. It often masquerades as an innocuous file-management app to trick users into downloading it. Once installed, Anatsa downloads a target list of financial apps fr	4
Toddler is a possible alias for Teabot. The malware known as "Toddler," also referred to as Anatsa or TeaBot, first emerged in early 2021. It was typically disguised as harmless utility apps such as PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to steal users' credentials. However, a resurgence of	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Android

Trojan

Banking

Dropper

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Cerberus Malware is associated with Teabot. Cerberus is a potent Android banking trojan that first surfaced on underground marketplaces in 2019. This malicious software, which operates as a hidden application on the victim's device, infiltrates systems via suspicious downloads, emails, or websites without the user's awareness. Once inside, it	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The BianLian Threat Actor is associated with Teabot. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directory	Unspecified	2

Source Document References

Information about the Teabot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	5 months ago	BingoMod Android RAT steals money from victims' bank accounts and wipes data
DARKReading	5 months ago	'BadPack' APK Files Make Android Malware Hard to Detect
Unit42	5 months ago	Beware of BadPack: One Weird Trick Being Used Against Android Devices
DARKReading	7 months ago	90+ Malicious Apps Totaling 5.5M Downloads Lurk on Google Play
InfoSecurity-magazine	7 months ago	TeaBot Banking Trojan Activity on the Rise, Zscaler Observes
CERT-EU	a year ago	Appdome unveils advanced Anti-Malware protections against Android accessibility service threats
CERT-EU	a year ago	Appdome releases new defenses to combat accessibility malware
CERT-EU	2 years ago	Threat Spotlight – Hydra
CERT-EU	a year ago	Appdome Releases New Defenses to Combat Accessibility Malware – Global Security Mag Online
CERT-EU	a year ago	Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland
CERT-EU	a year ago	Mobile Banking Heists: The Emerging Threats and How to Respond - Zimperium
Securityaffairs	10 months ago	Anatsa Android banking Trojan expands to new countries
CERT-EU	a year ago	29 malware families target 1,800 banking apps worldwide - Help Net Security
CERT-EU	a year ago	Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland
CERT-EU	10 months ago	Mastering proactive cybersecurity: Automated endpoint management and vulnerability remediations
CERT-EU	10 months ago	More countries targeted by Anatsa banking trojan