{
	"id": "2cbaff7d-5151-4127-a2db-169633b59a38",
	"created_at": "2026-04-06T00:12:32.320884Z",
	"updated_at": "2026-04-10T03:30:33.386088Z",
	"deleted_at": null,
	"sha1_hash": "6dff3f38b5c06a2a386b5b42de8b11bc76f8f67a",
	"title": "Teabot : Android Banking Trojan Targets Banks in Europe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1897591,
	"plain_text": "Teabot : Android Banking Trojan Targets Banks in Europe\r\nPublished: 2021-06-17 · Archived: 2026-04-05 23:14:44 UTC\r\nThe Teabot (aka ‘Anatsa’) is a new Android Banking Trojan with an array of malicious features that aid in the\r\ntracking of a victim’s financial activities and spreading to more victims. It is reported to have been first noticed at\r\nthe beginning of this year, purportedly targeting a handful of European banks and few languages. Some of the\r\nmalicious features include Key logging, Disabling Google Play Protect, Overlay attack and controlling the SMS.\r\nThe main infection vector of Teabot, used by the threat actors is Smishing campaigns, where the victims are\r\npersuaded to download and install the distributed malicious application. Teabot masquerades as media, postal and\r\nlogistics service apps like BookReader, PlutoTV, TeaTV, VLC Media Player, Correos, DHL and UPS.\r\nFigure 1:  Masquerades as media, postal and logistic apps\r\nIn this blog, we will be analyzing a sample “Snake.Sound.Mouse” which masquerades as a VLC media player as\r\nshown in Figure 2.\r\nFigure 2: Malicious APK masquerade as VLC media player\r\nOnce Teabot malware is installed on the device, it frequently brings up the Accessibility Service setting option on\r\nthe device, as shown in Figure 3, until the user allows this app to have the Accessibility Service enabled. This app\r\nstays stealth by hiding its icon from the application drawer after its first launch.  Also, threat actors here use\r\nhttps://labs.k7computing.com/?p=22407\r\nPage 1 of 9\n\nMediaProjectionManager API to obtain a live streaming of the device screen on-demand and also interact with it\r\nvia Accessibility Services.\r\nFigure 3: Request for accessibility service\r\nAnalyzing the Payload\r\nOnce the permissions are granted, this malicious apk decrypts the malicious payload file called kbu.json from the\r\napp’s assets folder to an executable dex format named ‘kbu.odex’ and loads the decrypted file as shown in Figure\r\n4.\r\nFigure 4:  The logcat image shows the kbu.odex file execution at runtime\r\nTeabot is currently targeting 6 different languages “Spanish, English, German, Italian, Dutch and French” as\r\nshown in Figure 5. \r\nFigure 5: Targeted Languages\r\nhttps://labs.k7computing.com/?p=22407\r\nPage 2 of 9\n\nThe Trojan attempts to intercept SMS messages and aborts the new SMSReceived broadcast to the victim; as per\r\nthe bot command “logged_sms” as shown in Figure 6.\r\nFigure 6: Intercept SMS Messages\r\nAbusing the Android Accessibility Service, this Trojan acts as a keylogger to steal all the victim’s information on\r\nthe device.\r\nFigure 7:  Keyloggers Function\r\nC2 Communication\r\nTeabot enumerates all the installed applications on the victim’s device and then sends the list of installed apps\r\nfrom the victim’s device to the C2 server during its first communication. All the communications between C2 and\r\nthe malware remain encrypted using an XOR key   as shown in Figure 8. When one or more targeted apps are\r\nfound, the malware C2 sends the specific payload(s) to the victim device to perform an overlay attack and track all\r\nthe activity related to the identified targeted application(s).\r\nhttps://labs.k7computing.com/?p=22407\r\nPage 3 of 9\n\nFigure 8: List of installed apps sent encrypted by the malware and the decrypted data\r\nThe following are the targeted applications expected to be installed in the victim’s device:\r\nhttps://labs.k7computing.com/?p=22407\r\nPage 4 of 9\n\nFigure 9: Targeted Banks\r\nThis malware also terminates the predefined list of apps process(es), as shown in Figure 10 and Figure 11.\r\nInterestingly, that list includes a few popular security products as highlighted below, in order to remain\r\nundetected.\r\nhttps://labs.k7computing.com/?p=22407\r\nPage 5 of 9\n\nFigure 10: Terminates the predefined apps process\r\nhttps://labs.k7computing.com/?p=22407\r\nPage 6 of 9\n\nFigure 11: Apps list terminated\r\nhttps://labs.k7computing.com/?p=22407\r\nPage 7 of 9\n\nFigure 12: Security related Apps List\r\nList of few bot commands observed\r\nFigure 13: List of bot commands\r\nAt K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a\r\nreputable security product like K7 Mobile Security and also regularly update and scan your devices with it. Keep\r\nyour security product and devices updated and patched for the latest vulnerabilities.\r\nIndicators of Compromise (IoCs)\r\nPackage Name Hash K7 Detection Name\r\nfoot.seminar.when 8e82d870605d97db3a7e348cb6ca61c4 Trojan ( 0055efb31 )\r\nsteak.into.fine 332d407d2f690fb54546ff7f15ce7755 Trojan ( 0055efb31 )\r\nhttps://labs.k7computing.com/?p=22407\r\nPage 8 of 9\n\nsafe.enable.tooth 112fc4be91ef529db595c9cdc40fdc82 Trojan ( 0055efb31 )\r\nsnake.sound.mouse a8ded94ee515bf0d8dbdead6d25f9ec0 Trojan ( 00573cb31 )\r\nquestion.cancel.cradle c20c6cd13bd8b5ccaca9e212635f7057 Trojan ( 0055e0a41 )\r\ntrust.royal.vibrant 4642c7a56039a82d8268282802c2fee9 Trojan ( 0055e0a41 )\r\nC2 \r\nhxxp://185.215.113[.31:80/api/\r\nhxxp://178.32.130[.170:80/api/\r\nSource: https://labs.k7computing.com/?p=22407\r\nhttps://labs.k7computing.com/?p=22407\r\nPage 9 of 9\n\n  https://labs.k7computing.com/?p=22407   \nFigure 8: List of installed apps sent encrypted by the malware and the decrypted data\nThe following are the targeted applications expected to be installed in the victim’s device:\n   Page 4 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://labs.k7computing.com/?p=22407"
	],
	"report_names": [
		"?p=22407"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434352,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6dff3f38b5c06a2a386b5b42de8b11bc76f8f67a.pdf",
		"text": "https://archive.orkl.eu/6dff3f38b5c06a2a386b5b42de8b11bc76f8f67a.txt",
		"img": "https://archive.orkl.eu/6dff3f38b5c06a2a386b5b42de8b11bc76f8f67a.jpg"
	}
}