{
	"id": "95b973ec-89b3-4fc5-9c76-2fd5785ca016",
	"created_at": "2026-04-06T00:11:18.859214Z",
	"updated_at": "2026-04-10T13:11:47.629814Z",
	"deleted_at": null,
	"sha1_hash": "07553309bfd10035b6707732f5c56daec565cef5",
	"title": "TeaBot is now spreading across the globe | Cleafy Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2766008,
	"plain_text": "TeaBot is now spreading across the globe | Cleafy Labs\r\nArchived: 2026-04-05 13:12:04 UTC\r\nBackground and key points\r\nTeaBot is an Android banking trojan emerged at the beginning of 2021 designed for stealing victim’s\r\ncredentials and SMS messages\r\nTeaBot RAT capabilities are achieved via the device screen’s live streaming (requested on-demand) plus\r\nthe abuse of Accessibility Services for remote interaction and key-logging. This enables Threat Actors\r\n(TAs) to perform ATO (Account Takeover) directly from the compromised phone, also known as “On-device fraud”.\r\nInitially TeaBot has been distributed through smishing campaigns using a predefined list of lures, such as\r\nTeaTV, VLC Media Player, DHL and UPS and others.\r\nRecent samples show how TAs are evolving their side-loading techniques, including the distribution of\r\napplications on the official Google Play Store, also known as “dropper applications”.\r\nIn the last months, we detected a major increase of targets which now count more than 400 applications,\r\nincluding banks, crypto exchanges/wallets and digital insurance, and new countries such as Russia, Hong\r\nKong, and the US (Figure 1).\r\nThe following article is a major update of the previous TeaBot: a new Android malware emerged in Italy, targets\r\nbanks in Europe published in May, 2021 in our blog “Cleafy Labs”.\r\nFigure 1 – Updated targeted of TeaBot (February 2022)\r\nHow TeaBot is evolving its distribution\r\nhttps://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe\r\nPage 1 of 8\n\nOne of the most interesting aspects of the TeaBot’s distribution are the latest techniques implemented on its\r\ncampaigns. During 2021, TeaBot appeared to be at its early stages of development and it was mainly distributed\r\nthrough smishing campaigns using a predefined list of lures, such as TeaTV, VLC Media Player, DHL and UPS and\r\nothers.\r\nOn February 21, 2022, the Cleafy Threat Intelligence and Incident Response (TIR) team was able to discover an\r\napplication published on the official Google Play Store, which was acting as a dropper application delivering\r\nTeaBot with a fake update procedure. The dropper lies behind a common QR Code \u0026 Barcode Scanner and, at the\r\ntime of writing, it has been downloaded +10.000 times. All the reviews display the app as legitimate and well-functioning.\r\nFigure 2 – TeaBot dropper published on the official Google Play Store (February 2022)\r\nHowever, once downloaded, the dropper will request immediately an update through a popup message. Unlike\r\nlegitimate apps that perform the updates through the official Google Play Store, the dropper application will\r\nrequest to download and install a second application, as displayed in Figure 3. This application has been detected\r\nto be TeaBot.\r\nhttps://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe\r\nPage 2 of 8\n\nFigure 3 – TeaBot installation via a fake update (February 2022)\r\nTeaBot, posing as “QR Code Scanner: Add-On”, is downloaded from two specific GitHub repositories created by\r\nthe user feleanicusor. It has been verified that those repositories contained multiple TeaBot samples starting from\r\nFeb 17, 2022:\r\nFigure 4 – Github repository used to store the TeaBot samples\r\nThe following graph will give you an overview of the actual infection chain developed by TAs and how they are\r\nimproving their sideloading technique for distributing TeaBot, starting from a dropper application spreaded via the\r\nofficial Google Play Store and abusing Github service for hosting the actual malicious payload:\r\nhttps://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe\r\nPage 3 of 8\n\nFigure 5 – TeaBot infection chain\r\nOnce the users accept to download and execute the fake “update”, TeaBot will start its installation process by\r\nrequesting the Accessibility Services permissions in order to obtain the privileges needed:\r\nView and control screen: used for retrieving sensitive information such as login credentials, SMS, 2FA\r\ncodes from the device’s screen.\r\nView and perform actions: used for accepting different kinds of permissions, immediately after the\r\ninstallation phase, and for performing malicious actions on the infected device.\r\nhttps://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe\r\nPage 4 of 8\n\nFigure 6 – Permissions requested by TeaBot during the installation phases\r\nNew targets, new evasion techniques\r\nOne of the biggest difference, compared to the samples discovered during the May 2021 [1], is the increase of\r\ntargeted applications which now include home banking applications, insurances applications, crypto wallets\r\nand crypto exchanges. In less than a year, the number of applications targeted by TeaBot have grown more than\r\n500%, going from 60 targets to over 400.\r\nhttps://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe\r\nPage 5 of 8\n\nFigure 7 – Comparison between the TeaBot targets in May 2021 and Feb 2022\r\nDuring the last months, TeaBot has also started supporting new languages, such as Russian, Slovak and Mandarin\r\nChinese, useful for displaying custom messages during the installation phases.\r\nFigure 8 – New languages supported by TeaBot (e.g. Russian, Slovak, Chinese, etc..)\r\nMoreover, it has been observed that TAs have been working on the sophistication of evasion techniques, such as\r\nstring obfuscation, used both for preventing a smooth static analysis, and for further lowering the  detection rate\r\nby anti-malware solutions available on the market. An example of the new evasion techniques introduced in recent\r\nTeaBot samples is given in Figure 9.\r\nhttps://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe\r\nPage 6 of 8\n\nFigure 9 – New evasion techniques introduced in recent TeaBot samples\r\nIt is also clear how the deobfuscation routine works: each class has been paired with a short array that is filled\r\nwith pseudo-random codes. It is then manipulated by a function that uses those codes to perform an XOR\r\noperation on its input and then returns the actual string.\r\nSince the dropper application distributed on the official Google Play Store requests only a few permissions and the\r\nmalicious app is downloaded at a later time, it is able to get confused among legitimate applications and it is\r\nalmost undetectable by common AV solutions.\r\nFigure 10 – AV detection of the dropper uploaded in the Google Play Store (February 2022)\r\n[1] https://www.cleafy.com/cleafy-labs/teabot\r\nAppendix 1: IOCs\r\nIoC Description\r\nQR Code \u0026 Barcode - Scanner App Name (TeaBot dropper)\r\nhttps://play.google[.]com/store/apps/details?\r\nid=com.scanner.buratoscanner\r\nLink Google Play Store (TeaBot\r\ndropper)\r\n104046f5cf2fb5560acf541d4f9f6381 MD5 (TeaBot dropper)\r\nhttps://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe\r\nPage 7 of 8\n\nIoC Description\r\nQR Code Scanner: Add-On App Name (TeaBot)\r\ncom.nnawozvvi.pamwhbawm Package Name (TeaBot)\r\nbf2ddaf430243461a8eab4aa1ed1e80d MD5 (TeaBot)\r\nhttps://github[.]com/leroynathanielxnlw GitHub repository (proxy)\r\nhttps://github[.]com/feleanicusor\r\nGitHub repository (hosting multiple\r\nTeaBot samples)\r\n185[.]215[.]113[.]31 C2 Server\r\nSource: https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe\r\nhttps://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe"
	],
	"report_names": [
		"teabot-is-now-spreading-across-the-globe"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434278,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07553309bfd10035b6707732f5c56daec565cef5.pdf",
		"text": "https://archive.orkl.eu/07553309bfd10035b6707732f5c56daec565cef5.txt",
		"img": "https://archive.orkl.eu/07553309bfd10035b6707732f5c56daec565cef5.jpg"
	}
}