Photograph of a Robot Handing Over Some Tea
© Olena Yakobchuk/

A March 1st threat intelligence report by Cleafy labs, a major update to their earlier investigations, unfurled the background, distribution, attack techniques, and more about a formidable modern Android “banker” trojan: TeaBot.

The TeaBot malware, also known as Anatsa or Toddler, includes RAT (Remote Access Trojan) capabilities allowing threat actors to conduct “on-device fraud” (account takeover), steal victims’ credentials, and SMS messages, all while remaining under the radar.

Since first being tracked by threat intelligence at the beginning of 2021, TeaBot has been deemed to be evolving, increasing its global scope and targeting over 400 applications across the globe, Cleafy said.

TeaBot in 2021

When TeaBot was first sniffed out in 2021, it “appeared to be at its early stages of development” and the distribution channels were mainly socially-engineered smishing campaigns targeting victims via VLC Media Player, TeaTV, DHL, UPS, and others.

Last year, the trojan had emerged in Italy and targeted banks in Europe, Cleafy said.

TeaBot’s Evolution in 2022

TeaBot is now targeting multiple industries including; crypto exchanges and wallets, digital insurance and banks as well as “new countries such as Russia, Hong Kong, and the US.”

The trojan has also allowed threat actors to expand their “side-loading” techniques including incorporating “dropper applications” on the Google Play store.

In the past few months, TeaBot has started to support new languages such as Slovak, Russian, and Mandarin Chinese to appear more legitimate, as well as utilizing “string obfuscation” to boost evasion techniques and avoid detection by anti-malware suites, Cleafy said.

It has been cleverly designed to sidestep detection because it “requests only a few permissions and the malicious app is downloaded at a later time” Cleafy added.

“In less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400.”

QR Code & Barcode – Scanner

New TeaBot campaigns spreading since last month involve a “QR Code & Barcode – Scanner” dropper application published last month by “QR BarCode Scannnner Business LLC Tools” on the official Google Play Store.

The app delivers the TeaBot via a fake update procedure and has since been downloaded over 10,000 times, having raked in gleaming reviews by the community in the process.

The malicious application will immediately request an update and full control permissions through popup messages “unlike legitimate apps”, later prompting the user to download a second application called “QR Code Scanner: Add-On” — a.k.a the TeaBot RAT.

Subsequently, TeaBot will try to permanently install itself as an Android Service “ensuring its persistence.”

Once a victim accepts the updates and allows full device access to the “View and control screen” and “View and perform actions” features of the app, sensitive information such as 2FA (multi-factor) codes, SMS and login credentials can be retrieved by the threat actor’s C2 server.

TeaBot’s attributes

Once a user has given access to the malicious application, TeaBot will be able to conduct keylogging, remote device hijacking (overlay attack), and live screen monitoring on a victim’s device.

GitHub user “feleanicusor”

GitHub user “feleanicusor” is distributing the TeaBot from two specific GitHub repositories containing “multiple TeaBot” samples, Cleafy said.

Dropper Apps and Banking Trojans on the Rise

Droppers have recently become increasingly popular in the cybercriminal malware developer community. This way threat actors can “infiltrate official Android repositories” Cleafy added.

These apps are a “common tactic” now being leveraged by malware developers to “clear existing security checks” and allow malicious apps to be published publicly. Once a large herd of victims has downloaded the unassuming app, the cherry on top is to “then deploy an update that turns the software malicious” Cleafy said.

Similiar financially-motivated cybercrime campaigns have been tracked by threat intelligence organizations in 2021, such as FluBot and Medusa, and Roaming Mantis.

Mobile RAT trojans, the core technology that serves as a foundation for TeaBot and other campaigns to steal information and take over devices, have also become far more sophisticated.

Banking trojans are still the biggest threat to the mobile security landscape. About 100,000 of them were detected last year, and they continue to compromise tens of thousands of Android users.

To better defend your financial accounts and devices against malware, make sure to check out our full guide on Trojans. If you’re specifically concerned with Android devices, we’ve also compiled a full rundown to optimize your Android privacy and security settings.

Leave a comment