I. Targeted Entities

  • Google Play Store

II. Introduction

The TeaBot banking trojan, which is also known as “Anatsa,” has been spotted on the Google Play store.

III. Background Information

TeaBot is designed to intercept SMS messages and login credentials from unsuspecting users, and has affected users of more than 400 banking and financial apps, including those from Russia, China, and the U.S. [1] This is not the first time TeaBot has been a menace to Android users; TeaBot was first seen last year. It is a straightforward malware designed to steal banking, contact, SMS, and other types of private data from infected devices.[1] What makes TeaBot unique is the way that it spreads; TeaBot requires no malicious email, text message, fraudulent website, or third-party service to spread. Rather, it typically comes packaged in a dropper application.[1] A dropper is a program that seems legitimate from the outside, but in reality, acts as a medium to deliver a second-stage malicious payload.

TeaBot droppers have shrouded themselves in inherently “safe” things, like QR codes or PDF readers. Hank Schless, senior manager of security solutions at Lookout, said that attackers usually stay with apps like QR code scanners, flashlights, photo filters, or PDF scanners because those are apps that users download out of necessity, and are more than likely not looking at reviews that may dissuade them from downloading the app.[1] This strategy seems to be working; in January 2022, an app called QR Code Reader – Scanner App was found distributing 17 different TeaBot variants for over a month. The app had more than 100,000 downloads by the time it was discovered.[1]

App stores have rules and protections aimed at stopping the spread of malware. For example, Google Play Protect helps root our malicious apps before they are installed and scans for evidence of nefarious actions on a daily basis.[1] But TeaBot is different because TeaBot droppers are not obviously malicious; on the surface, they might seem normal and uninteresting. However, once a user opens one of these seemingly innocent apps, they are prompted to download a software update. The update is a second app containing a malicious payload.[1] If the user gives the app permission to install software from an unknown source, the infection process starts.

Like other Android malware, TeaBot attempts to leverage the device’s Accessibility Services. These attacks use an advanced remote access feature that exploits the TeamViewer application, a remote desktop sharing tool, which gives the cybercriminal remote control over the victim’s device.[1] The ultimate goal of these attacks is to steal sensitive information like login credentials, SMS, and two-factor authentication codes, and to perform malicious actions on the device.[1]

According to researchers at Cleafy, “in less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400.”[1] Shawn Smith, director of infrastructure at nVisium, says that real-time scanning of app downloads, including apps that do not originate from Google Play, would help to mitigate the problem. Smith also added that adding additional warning messages when installing app add-ons that do not come from Google Play could also be useful.[1] Until app stores have solved the problem with droppers, users need to remain vigilant and fight to keep their devices safe and secure.


  • T11475 – Deliver Malicious App via Authorized App Store
    Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Smartphones are often configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto target devices.
  • T1444 – Masquerade as Legitimate Application
    An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.
  • T1413 – Access Sensitive Data in Device Logs
    On versions of Android prior to 4.1, an adversary may use a malicious application holds the READ_LOGS permission to obtain private keys, passwords, other credentials or other sensitive data stored in the device’s system log. On Android 4.1 and later, an adversary would need to attempt to perform, an operating system privilege escalation attack to be able to access the log.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Malware Monitoring
    Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on endpoint protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.


VII. References

(1) Cleafy Labs. “TeaBot Is Now Spreading across the Globe.” Cleafy Labs. Cleafy Labs, January 3, 2022. https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe.

(2) Nelson, Nate. “Teabot Trojan Haunts Google Play Store, Again.” Threatpost English Global, March 2, 2022. https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/.

Threat Advisory created by the Cyber Florida Security Operations Center.
Contributing Security Analysts: Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.