The trojan Teabot, or Anatsa, is being distributed onto Android devices with the intention of stealing banking credentials from its victims, as reported by researchers from Bitdefender. The malware is being distributed through the use of fake Android apps that can be downloaded onto the device and “side-loaded” to avoid the scrutiny that apps normally get if they are hosted by an official app store. Though the apps are not available on the Google Play Store, they are hosted on a third-party website and victims are being tricked into downloading and installing them. It is unclear what is driving victims to the website to download these apps, but phishing through SMS and email messages are the methods most often used by threat actors. The most common app is an AdBlocker, which once downloaded asks the user for permission to display over other apps, show notifications, and install applications from outside the Google Play Store. The fake AdBlocker app is being used as a dropper for the malware. The app will show a fake alert stating that the user has malware, and enticing them to click a link for the solution which in turn downloads Teabot. TeaBot appears to concentrate much of its targeting on Western Europe, with Spain and Italy the current hotspots for infections – although users in the UK, France, Belgium, the Netherlands, and Austria are also frequent targets.