Teabot

Malware updated 23 days ago (2024-11-29T14:19:35.824Z)
Download STIX
Preview STIX
TeaBot, also known as Anatsa, is a sophisticated malware that has been impacting Android devices. It first emerged as a significant threat in 2022 when it was identified as one of the most active banking malware families alongside Flubot, Sharkbot, and Hydra. TeaBot, along with other notable banking Trojans like BianLian, Cerberus, and Hook, uses a technique called BadPack to infect Android devices without being detected. This method involves utilizing second-stage dropper applications that appear benign to users, thereby tricking them into installing the malicious payload. Unit 42 researchers have observed that many Android banking Trojans, including TeaBot, are increasingly using this stealthy approach. This trend has contributed to the surge in prevalence of Android banking Trojans in recent years. In addition to its stealthy infiltration methods, TeaBot employs various techniques to evade detection such as checking for virtual environments and emulators, and purposely corrupting the APK’s ZIP headers to hinder static analysis of the malware. Furthermore, TeaBot utilizes remote payloads retrieved from command-and-control (C2) servers to carry out further malicious activities. Zscaler ThreatLabz has recently identified two fake Android applications used to deploy TeaBot: a PDF reader app named 'PDF Reader & File Manager' and a QR code reader app named 'QR Reader & File Manager'. On the Google Play Store, these apps are listed under the developer names 'TSARKA Watchfaces' and 'risovanui', respectively. Despite not being the most prevalent Trojan, TeaBot's sophisticated evasion techniques and effective use of seemingly harmless applications make it one of the most potent threats in the wild.
Description last updated: 2024-10-17T12:48:37.604Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Anatsa is a possible alias for Teabot. Anatsa, a sophisticated Android banking trojan, is a malware designed to exploit and damage your device while stealing user financial data. It often masquerades as an innocuous file-management app to trick users into downloading it. Once installed, Anatsa downloads a target list of financial apps fr
4
Toddler is a possible alias for Teabot. The malware known as "Toddler," also referred to as Anatsa or TeaBot, first emerged in early 2021. It was typically disguised as harmless utility apps such as PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to steal users' credentials. However, a resurgence of
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Android
Trojan
Banking
Dropper
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cerberus Malware is associated with Teabot. Cerberus is a potent Android banking trojan that first surfaced on underground marketplaces in 2019. This malicious software, which operates as a hidden application on the victim's device, infiltrates systems via suspicious downloads, emails, or websites without the user's awareness. Once inside, itUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The BianLian Threat Actor is associated with Teabot. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directoryUnspecified
2
Source Document References
Information about the Teabot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more