The trojan Teabot, or Anatsa, is being distributed onto Android devices with the intention of stealing banking credentials from its victims, as reported by researchers from Bitdefender. The malware is being distributed through the use of fake Android apps that can be downloaded onto the device and “side-loaded” to avoid the scrutiny that apps normally get if they are hosted by an official app store. Though the apps are not available on the Google Play Store, they are hosted on a third-party website and victims are being tricked into downloading and installing them. It is unclear what is driving victims to the website to download these apps, but phishing through SMS and email messages are the methods most often used by threat actors. The most common app is an AdBlocker, which once downloaded asks the user for permission to display over other apps, show notifications, and install applications from outside the Google Play Store. The fake AdBlocker app is being used as a dropper for the malware. The app will show a fake alert stating that the user has malware, and enticing them to click a link for the solution which in turn downloads Teabot. TeaBot appears to concentrate much of its targeting on Western Europe, with Spain and Italy the current hotspots for infections – although users in the UK, France, Belgium, the Netherlands, and Austria are also frequent targets.
When downloading any sort of application, Android device owners should only go through a trusted store such as the Google Play Store. Downloading apps from untrusted sources is never recommended and often leads to security incidents. Frequent reviews of business-owned devices using Mobile Device Management (MDM) solutions should also be conducted to check and see if malware has been installed. If malware is discovered, it should be removed promptly and in this case, passwords should be changed. Whenever installing applications, users should always pay attention to the permissions they are giving the app. Asking for excessive permissions that don’t make sense is one sign that an app might be a threat. The campaign remains active and while many of the methods of distribution outside the fake Ad Blocker remain unknown, there are precautions that users can take to avoid becoming a victim.