A new Android trojan has been discovered that hijacks users' SMS messages and credentials to perform fraudulent activities. The trojan is identified as TeaBot or Anatsa and is mostly targeting banking users located in Spain, Germany, the Netherlands, Italy, and Belgium.
What has happened?
According to researchers, the trojan is believed to be in its early stages of development with malicious attacks, launched in late- March, targeting financial apps. However, the first TeaBot activity began in January.
The trojan spread via rogue applications masquerading as package delivery and media services, such as VLC Media Player, TeaTV, UPS, and DHL, that worked as droppers.
These droppers load a second-stage payload and force the victim into giving permissions to accessibility service. Moreover, TeaBot uses the same decoy (fake shipment apps) as Flubot.
After being successfully installed in the victim's device, the attackers can get live streaming of the device screen and interact with it via Accessibility Services.
Further, the trojan can exploit the Accessibility Services access to record keystrokes, take screenshots, and inject malicious overlays.
Abusing accessibility services
Since the start of this year, several malware families have been observed abusing Accessibility Services to gain total control over victim devices.
A few weeks ago, a malware, FluBot, was discovered to be abusing Android Accessibility Service. The malware targeted mobile users in the U.K., Spain, Hungary, Germany, Italy, and Poland.
Last month, BRATA malware was found taking full control of the device by utilizing Accessibility Services. The malware was spreading via malicious a ..
Support the originator by clicking the read the rest link below.
