top of page
  • Admin

TeaBot Trojan Steals Android Banking Credentials

Published: June 24, 2021 on our newsletter Security Fraud News & Alerts Newsletter.

There’s a new Android banking trojan making the rounds overseas, but like other malware attacks in other countries, it won’t take TeaBot Trojan long to reach the U.S. TeaBot is the latest addition to trojan mobile malware currently attacking banks in Germany, Spain, Italy, Belgium, and the Netherlands. Still in early development, the goal of TeaBot is stealing user credentials for fraudulent activities against financial institutions. TeaBot starts the device infection by posing as a legitimate package delivery service. The trojan sends fake SMS text messages (also known as smishing) about bogus package deliveries as the way to begin its costly malware infection.

TeaBot’s entry methods have been seen before in other banking trojans like FluBot and BRATA. TeaBot’s intent is stealing victim credentials via SMS messages to launch financial fraud against targeted banks. Once installed on a victim’s device, TeaBot sends a spyware live stream of the victim’s screen to the remote attacker and can abuse the Accessibility Service to further its attack.

TeaBot also allows the hacker to take screenshots, record keystrokes, and overlay a malicious web page on top of banking login screens. All of these actions are designed to steal user financial credentials and payment card data. The trojan can also intercept text messages, disable Google Play Protect, and steal 2FA codes (two-factor authentication) that verify a user’s identity. The attacker is able to send the stolen information to their remote server every ten seconds. That’s a lot of potential damage.

Since TeaBot can steal 2FA codes, an option to secure your identity online should be considered. Hardware tokens, also called fobs or key fobs, can keep your 2FA from a hacker’s grasp. Key fobs communicate wireless signals to a sensor used for authentication. Passwords and 2FA are no longer needed, removing any interference by hackers looking to steal identity data. This option not only provides greatly improved identity security for the user, but for the business requiring login authentication as well. While some may be bothered by having to hold onto another piece of hardware, the benefits far outweigh the annoyance.

As always, watch out for phishing email messages and never click links or attachments that arrive in your inbox unless you know the sender, were expecting the message, or do your own independent verification that it is legitimate to click it.

Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at


bottom of page