Teabot

Malware updated 2 months ago (2024-07-16T14:17:39.921Z)

Download STIX

Preview STIX

TeaBot, also known as Anatsa, is a sophisticated Android banking Trojan that targets applications from over 650 financial institutions. It was first observed to use second-stage dropper applications that appear benign to users, deceiving them into installing the payload. TeaBot utilizes remote payloads retrieved from command-and-control (C2) servers to carry out further malicious activities. In addition, it employs various techniques to evade detection, including checking for virtual environments and emulators, as well as purposely corrupting the APK’s ZIP headers to hinder static analysis of the malware. In November 2023, researchers from ThreatFabric observed a resurgence of the TeaBot banking Trojan. This malware uses a method known as BadPack, common among Android-based banking Trojans like BianLian and Cerberus. Two fake Android applications were recently used to deploy TeaBot: a PDF reader app called ‘PDF Reader & File Manager’ and a QR code reader app called ‘QR Reader & File Manager.’ On the Google Play Store, the former’s front-end developer name appears as ‘TSARKA Watchfaces’ and the latter’s as ‘risovanui.’ Despite not being one of the most frequently used Android Trojans, TeaBot is considered one of the most sophisticated ones in the wild. It has been one of the most active banking malware families for Android in 2022, alongside other notorious families such as Flubot, Sharkbot, and Hydra. Measured by the number of banks targeted, TeaBot ranks among the top banking malware families, along with Hook and Godfather. Researchers from Zscaler ThreatLabz reported an uptick in malicious activity leveraging TeaBot on May 27, 2024.

Description last updated: 2024-07-16T14:16:01.565Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Anatsa	4	Anatsa, a sophisticated Android banking trojan, is a malware designed to exploit and damage your device while stealing user financial data. It often masquerades as an innocuous file-management app to trick users into downloading it. Once installed, Anatsa downloads a target list of financial apps fr
Toddler	2	The malware known as "Toddler," also referred to as Anatsa or TeaBot, first emerged in early 2021. It was typically disguised as harmless utility apps such as PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to steal users' credentials. However, a resurgence of

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Android

Trojan

Banking

Dropper

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Cerberus	Unspecified	2	Cerberus is a type of malware, a harmful software designed to exploit and damage systems. It has been found to be associated with various platforms and versions of Siemens Cerberus PRO UL, including the Compact Panel FC922/924 and the Engineering Tool, all versions prior to MP4. Additionally, Cerber

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Bianlian	Unspecified	2	BianLian is a significant threat actor within the cybersecurity landscape, known for its malicious activities and cyber-attacks. The group has been particularly active in exploiting bugs in JetBrains TeamCity, a popular continuous integration and deployment system used by software development teams.

Source Document References

Information about the Teabot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	BingoMod Android RAT steals money from victims' bank accounts and wipes data
DARKReading	2 months ago	'BadPack' APK Files Make Android Malware Hard to Detect
Unit42	2 months ago	Beware of BadPack: One Weird Trick Being Used Against Android Devices
DARKReading	3 months ago	90+ Malicious Apps Totaling 5.5M Downloads Lurk on Google Play
InfoSecurity-magazine	3 months ago	TeaBot Banking Trojan Activity on the Rise, Zscaler Observes
CERT-EU	a year ago	Appdome unveils advanced Anti-Malware protections against Android accessibility service threats
CERT-EU	a year ago	Appdome releases new defenses to combat accessibility malware
CERT-EU	2 years ago	Threat Spotlight – Hydra
CERT-EU	a year ago	Appdome Releases New Defenses to Combat Accessibility Malware – Global Security Mag Online
CERT-EU	a year ago	Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland
CERT-EU	8 months ago	Mobile Banking Heists: The Emerging Threats and How to Respond - Zimperium
Securityaffairs	7 months ago	Anatsa Android banking Trojan expands to new countries
CERT-EU	8 months ago	29 malware families target 1,800 banking apps worldwide - Help Net Security
CERT-EU	a year ago	Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland
CERT-EU	6 months ago	Mastering proactive cybersecurity: Automated endpoint management and vulnerability remediations
CERT-EU	7 months ago	More countries targeted by Anatsa banking trojan