TeaBot, posing as “QR Code Scanner: Add-On”, is downloaded from two specific GitHub repositories created by the user feleanicusor. It has been verified that those repositories contained multiple TeaBot samples starting from Feb 17, 2022:
As reported at TeaBot is now spreading across the globe | Cleafy Labs
Background and key points
TeaBot is an Android banking trojan emerged at the beginning of 2021 designed for
stealing victim’s credentials and SMS messages
TeaBot RAT capabilities are achieved via the device screen’s live streaming
(requested on-demand) plus the abuse of Accessibility Services for remote
interaction and key-logging. This enables Threat Actors (TAs) to perform ATO
(Account Takeover) directly from the compromised phone, also known as
“On-device fraud”
.
Initially TeaBot has been distributed through smishing campaigns using a
predefined list of lures, such as TeaTV, VLC Media Player, DHL and UPS
and others.
Recent samples show how TAs are evolving their side-loading techniques,
Recent samples show how TAs are evolving their side-loading techniques,
including the distribution of applications on the official Google Play Store,
also known as “dropper applications”.
In the last months, we detected a major increase of targets which now count
more than 400 applications, including banks, crypto exchanges/wallets and
digital insurance, and new countries such as Russia, Hong Kong, and the US
See the full report Here