{
	"id": "a2d03913-998b-476b-9e7c-98001c4f1717",
	"created_at": "2026-04-06T00:08:19.229994Z",
	"updated_at": "2026-04-10T13:13:06.851644Z",
	"deleted_at": null,
	"sha1_hash": "3c221acb75d1538096133cb7c1158d7c59f0cbcc",
	"title": "TeaBot: a new Android malware emerged in Italy, targets banks in Europe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 13417219,
	"plain_text": "TeaBot: a new Android malware emerged in Italy, targets banks in\r\nEurope\r\nBy Federico Valentini, Francesco Iubatti\r\nArchived: 2026-04-05 16:37:36 UTC\r\nKey Points\r\nAt the beginning of January 2021, a new Android banking trojan was discovered and analyzed by our\r\nThreat Intelligence and Incident Response (TIR) team. We decided to dub this new family as TeaBot since\r\nit seems to not be related to any known banking trojan family\r\nThe main goal of TeaBot is stealing victim’s credentials and SMS messages for enabling frauds scenarios\r\nagainst a predefined list of banks (more than 60 targeted banks were extracted)\r\nOnce TeaBot is successfully installed in the victim’s device, attackers can obtain a live streaming of the\r\ndevice screen (on demand) and also interact with it via Accessibility Services  \r\nOn 29th March 2021, we detected for the first time the inclusion of injections against Italian banks\r\nAlso, at the beginning of May 2021, we detected for the first time also the inclusion of injections against\r\nBelgium and Netherlands banks\r\nAt the time of writing, TeaBot appears to be at its early stages of development according to some\r\nirregularities found during our analysis\r\nFor the sake of completeness, after our investigation we noticed that the name ‘Anatsa’ is also used for\r\ntracking this malware family\r\nExecutive Summary\r\nAt the beginning of January 2021, a new Android banker started appearing and it was discovered and analysed by\r\nour Threat Intelligence and Incident Response (TIR) team.\r\nSince lack of information and the absence of a proper nomenclature of this Android banker family, we decide to\r\ndub it as TeaBot to better track this family inside our internal Threat Intelligence taxonomy.   \r\nTeaBot appears to have all the main features of nowadays Android bankers achieved by abusing Accessibility\r\nServices such as:\r\nAbility to perform Overlay Attacks against multiple banks applications to steal login credentials and credit\r\ncard information\r\nAbility to send / intercept / hide SMS messages\r\nEnabling key logging functionalities\r\nAbility to steal Google Authentication codes\r\nAbility to obtain full remote control of an Android device (via Accessibility Services and real-time screen-sharing)\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 1 of 10\n\nThanks to an in-depth analysis of a new wave of samples detected at the end of March 2021, we found, for\r\nthe first time, multiple payloads against Italian banks.\r\nAlso, TeaBot appears to be at its early stages of development according to some irregularities found during our\r\nanalysis, but developers have already included multi-languages support according to some textual references\r\nfound (e.g. Spanish, Italian, German, etc.).\r\nWe assume that TeaBot, similar to Oscorp, is trying to achieve a real-time interaction with the\r\ncompromised device combined with the abuse of Android Accessibility Services bypassing the need of a\r\n“new device enrollment” to perform an Account Takeover scenario (ATO).\r\nTeaBot – Static Analysis\r\nFrom the AndroidManifest file the following indicators were extracted:\r\nInitially, the app name used by the malicious app was “TeaTV” however during the last month the app\r\nname was changed to “VLC MediaPlayer”, “Mobdro”, “DHL”, “UPS” and “bpost”, the same decoy\r\nused by the famous banker Flubot/Cabassous\r\nThe main permissions achieved by TeaBot allow to:\r\no   Send / Intercept SMS messages\r\no   Reading phone book and phone state\r\no   Use device supported biometric modalities\r\no   Modify audio settings (e.g. to mute the device)\r\no   Shows a popup on top of all other apps (used during the installation phase to force the user to accept the\r\naccessibility service permissions)\r\no   Deleting an installed application\r\no   Abusing Android Accessibility Services\r\nFigure 1 - List of permissions declared in the AndroidManifest.xml\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 2 of 10\n\nFigure 2 - Main icons app used by TeaBot\r\nTeaBot, like other bankers, uses multiple techniques to slow down analysts, such as:\r\nThe malicious application acts as dropper and dynamically loads a 2nd stage (.dex) where all the malicious\r\ncode resides\r\nUsage of “Junk Code”\r\nNetwork communications are partially encrypted using XOR algorithm\r\nFurthermore, both the partial network encryption and the presence of some not-working injections and commands\r\n(or in some cases a lack of injections for specific targeted banks) suggest to us that the TeaBot is still under\r\ndevelopment.\r\nAt the same time, a couple of interesting changes were detected:\r\nIn January 2021, TeaBot was focused only on Spanish banks\r\nIn March 2021, new samples of TeaBot appeared with also German and Italian banks as targets for\r\nthe first time. Also, TeaBot is currently supporting 6 different languages (Spanish, English, Italian,\r\nGerman, French and Dutch):\r\nFigure 3 - Supports of multiple languages found\r\nTeaBot main features\r\nThe main features observed during the analysis of the banker are the following.\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 3 of 10\n\nKeylogging: Through the abuse of the Android Accessibility Services, TeaBot is able to observe and track all the\r\ninformation performed by the user on the targeted applications. We observed similar behavior also in another\r\nbanker called EventBot, but with the difference that EventBot tracks any apps while TeaBot tracks only targeted\r\napps, therefore less traffic is generated between the banker and the C2. TeaBot, during its first communications\r\nwith the C2, sends the list of installed apps to verify if the infected devices had one or more targeted apps already\r\ninstalled. When TeaBot found one of them, it downloads the specific payload to perform overlay attacks and starts\r\ntracking all the activity performed by the user on the targeted app. Those information are sent back to the assigned\r\nC2 every 10 seconds.\r\nFigure 4 - Example of TeaBot's configuration file\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 4 of 10\n\nFigure 5 - Example of bank credential stolen by TeaBot\r\nScreenshots: One of the particularities of TeaBot is the capability of taking screenshots to constantly monitor the\r\nscreen of the compromised device. When the C2 sends the “start_client” command with an IP address and PORT,\r\nit starts requesting the images and TeaBot starts a loop in which creates a “VirtualScreen” for taking screenshots.\r\nFigure 6 - Snippet of TeaBot's code for taking screenshots of the compromised devices\r\nOverlay attack: “The Overlay attack is a well-known technique implemented on modern Android banking trojans\r\n(e.g. Anubis, Cerberus/Alien) which consist of a malicious application/user somehow able to perform actions on\r\nbehalf of the victim. This usually takes the form of an imitation app or a WebView launched “on-top” of a\r\nlegitimate application (such as a banking app).”\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 5 of 10\n\nFigure 7 - Example of injection used to perform overlay attack\r\nSee Appendix 1 - Geographical distribution of banks currently targeted by TeaBot for an overview of\r\ntargeted apps.\r\nOther features: TeaBot has other features quite common to other known Android bankers such as:\r\ndisabling Google Protect\r\nsending / intercepting / hiding SMS messages\r\nstealing other accounts from the Android Settings and Google Authentication 2FA codes\r\nsimulating gestures and clicks on the screen (via Accessibility Services).\r\nDynamic Analysis\r\nWhen the malicious app has been downloaded on the device, it tries to be installed as an “Android\r\nService”,which is an application component that can perform long-running operations in the background.\r\nThis feature is abused by TeaBot to silently hide itself from the user, once installed, preventing also detection\r\nand ensuring its persistence.\r\nFurthermore, during the installation phases, TeaBot starts communicating with its C2 server in the background.\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 6 of 10\n\nFigure 8 - Screenshots taken during the installation phase of TeaBot\r\nAfter the installation TeaBot will request the following Android permissions, which are mandatory to perform its\r\nmalicious behavior:\r\nObserve your actions\r\nUsed to intercept and observe the user action\r\nRetrieve window content\r\nUsed to retrieve sensitive information such as login credentials, SMS, 2FA codes from authentication apps,\r\netc.\r\nPerform arbitrary gestures\r\nTeaBot uses this feature to accept different kinds of permissions, immediately after the installation phase,\r\nfor example the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission popup.\r\nOnce the requested permissions have been accepted, the malicious application will remove its icon from the\r\ndevice.\r\nFigure 9 - Example of encrypted communication\r\nDuring its first communications, TeaBot sends the list of installed apps to verify if the infected devices had one or\r\nmore targeted apps already installed. When one or more targeted applications are found, the C2 sends the specific\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 7 of 10\n\npayloads to the device.\r\nFigure 10 - Example of encrypted and decrypted communication\r\nBy analyzing TeaBot network communications, it was possible to group them into the following three main types:\r\n[C2-URL]/api/botupdate:\r\nevery 10 seconds TeaBot sends a POST request with all the information about the compromised device\r\n(Figure 8) (e.g. name of the SMS manager app installed, captured injects, passwords found etc.). Those\r\ncommunications are the only one encrypted with the XOR algorithm using the same key across\r\nmultiple TeaBot samples (“66”). The response is typically composed by a configuration update (e.g. C2\r\naddresses, command launched, etc.)\r\n[C2-URL]/api/getkeyloggers:  \r\nevery 10 seconds TeaBot performs a GET request to retrieve the list of the apps targeted by the key logger\r\nfunctionality\r\n[C2-URL]/api/getbotinjects:\r\na POST request is made by TeaBot during its first stage of infection with a JSON file (not encrypted)\r\ncontaining all the package name installed on the compromised device. With this information, TeaBot is\r\nable to know if there is one or more targeted apps and download the related injection(s).\r\nAppendix 1: Geographical distribution of banks currently targeted by TeaBot\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 8 of 10\n\nFigure 11 - Geographical distribution of banks currently targeted by TeaBot\r\nAppendix 2: TeaBot commands\r\nThe following table will summarize the list of all the commands found in TeaBot during the technical analysis:\r\napp_delete : Delete an application from the package name\r\nask_syspass : Show a biometric authorization popup\r\nask_perms : Request permissions to the users\r\nchange_pass : Show a toast message (small popup) that inform the user to update the password (lock\r\npattern)\r\nget_accounts : Get the accounts in Android settings\r\nkill_bot : Remove itself\r\nmute_phone : Mute the device \r\nopen_activity : Open an application from the package name\r\nopen_inject : Perform the overlay attack, opening the injection (html payload) \r\nreset_pass : Under development\r\nstart_client : Define an IP and PORT used to observe the compromised device through screenshots       \r\nswipe_down : Used to perform gesture like swipe on the screen\r\ngrab_google_auth : Open and get the codes in Google Auth app\r\nactivate_screen : Enable the screen. TeaBot has the ability to control the device’s screen (e.g. The banker\r\nis able to keep screen from dimming)\r\nAppendix3: IOCs\r\nApp Name : “VLC MediaPlayer” | “TeaTV”\r\nSHA256 : 89e5746d0903777ef68582733c777b9ee53c42dc4d64187398e1131cccfc0599 |\r\n7f5b870ed1f286d8a08a1860d38ef4966d4e9754b2d42bf41d7 511e1856cc990\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 9 of 10\n\nC2 : 185.215.113[.]31 | kopozkapalo[.]xyz | sepoloskotop[.]xyz | 178.32.130[.]170\r\nXOR Key: 66\r\nSource: https://www.cleafy.com/cleafy-labs/teabot\r\nhttps://www.cleafy.com/cleafy-labs/teabot\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/teabot"
	],
	"report_names": [
		"teabot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434099,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c221acb75d1538096133cb7c1158d7c59f0cbcc.pdf",
		"text": "https://archive.orkl.eu/3c221acb75d1538096133cb7c1158d7c59f0cbcc.txt",
		"img": "https://archive.orkl.eu/3c221acb75d1538096133cb7c1158d7c59f0cbcc.jpg"
	}
}