{
	"id": "f1f620f6-acba-4e46-97d3-1d3aedb84f13",
	"created_at": "2026-04-06T00:08:20.956025Z",
	"updated_at": "2026-04-10T03:30:33.868754Z",
	"deleted_at": null,
	"sha1_hash": "ece87a5beb1332423fc3d09fc31a794cb0de3174",
	"title": "A stealthy threat uncovered: TeaBot on Google Play Store",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4328295,
	"plain_text": "A stealthy threat uncovered: TeaBot on Google Play Store\r\nBy Francesco Iubatti, Federico Valentini\r\nArchived: 2026-04-05 23:02:39 UTC\r\nKey Points\r\nStarting from the second week of February, we have observed via our telemetry data an increase in TeaBot\r\nbanking trojan infections across several European countries.\r\nOur investigations have revealed that the initial stage of infection originates from an application available\r\non the official Google Play Store, with over 100,000 downloads (before being removed from the Google\r\nPlay Store).\r\nThis application serves as a dropper, facilitating the download of a banking trojan of the TeaBot family\r\nthrough multiple stages.\r\nBefore downloading the banking trojan, the dropper performs advanced evasion techniques, including\r\nobfuscation and file deletion, alongside multiple checks about the victim countries.\r\nUpon successful installation, facilitated through a tricky update popup, threat actors (TAs) gain the ability\r\nto execute banking fraud via Account Takeover (ATO) attacks.\r\nFigure 1 - Requesting the same app, on the Google Play Store, from different countries\r\nIntroduction \u0026 Background\r\nWhile phishing campaigns have traditionally been the primary method for distributing banking trojans, in recent\r\nyears, there has been a notable trend where TAs utilise official app stores to disseminate their malware. This is\r\nachieved by deploying dropper applications designed to download malware onto the targeted device. One of the\r\nmain motivations behind this method is the ability to reach a large pool of potential victims, thereby increasing\r\nthe likelihood of successful fraudulent transactions.\r\nhttps://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store\r\nPage 1 of 8\n\nSince the second week of February, we have detected a rise in TeaBot banking trojan infections across multiple\r\nEuropean countries through our telemetry data. Our investigations have revealed that the initial stage of infection\r\noriginates from an application available on the official Google Play Store. This application dynamically\r\ndownloads additional code and configuration files, effectively evading detection.\r\nFigure 2 - TeaBot’s infectionst elemetry from Cleafy data\r\nIn the next section of the article, we will describe the critical points of each stage of infection, which can be\r\nsummarised as follows:\r\nStage 1: The initial phase of infection starts with an application found on the official Google Play Store.\r\nThis application is exclusively available to users in specific countries and disguises itself as a common\r\nutility application. It acts as a dropper, facilitating the download of additional code from a designated\r\nserver.\r\nStage 2: The downloaded code, in the form of a .dex file, is utilised to conduct further assessments of the\r\nuser device. Specifically, it verifies whether the device is located within one of the specific countries and\r\ndetermines if it is operating on an actual device or within an emulator or sandbox.\r\nStage 3: Once the checks are completed, an additional APK is downloaded and installed on the user's\r\ndevice. The APK is responsible for unpacking a file containing malicious code within itself, thus enabling\r\nTAs to carry out fraudulent operations.\r\nFigure 3 - Infection chain overview\r\nTechnical Analysis\r\nFirst Stage: Dropper Application from Google Play\r\nhttps://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store\r\nPage 2 of 8\n\nThe \"PDF Reader: File Manager\" application appears as a genuine PDF file manager and is exclusively\r\naccessible for download in targeted countries. This application was released on the Google Play Store on January\r\n31, 2024, and updated on February 9, 2024. Upon our discovery, and a few days after its update, the application\r\nhad already been downloaded over 10,000 times. However, it reached over 100,000 downloads before being\r\nremoved from the store.\r\nFigure 4 - Number of downloads of the dropper application from Google Play Store\r\nThe dropper application uses a classical behaviour, requesting REQUEST_INSTALL_PACKAGE and\r\nWRITE_EXTERNAL_STORAGE permissions to manage the additional code needed. However, unlike some\r\nearlier campaigns, where the banking trojan was downloaded directly from a server or GitHub repositories, in this\r\ncampaign, several steps and checks are performed before downloading TeaBot.\r\nFigure 5 - Snippet of the AndroidManifest.xml file\r\nOnce the application is downloaded and installed, a service component within the dropper application performs\r\ntwo HTTP GET requests to retrieve the following files:\r\n1. muchaspuchas: a string containing multiple Java methods and keywords, delimited by the \"|\" character,\r\nleveraged by the dropper to load the additional dex file at run-time;\r\n2. cortina: a .dex file containing additional code imported by the application.\r\nhttps://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store\r\nPage 3 of 8\n\nFigure 6 - HTTP GET requests for downloading and executing the additional .dex file\r\nIn the next paragraph, we will move to the second stage of the infection chain by describing some of the features\r\nin the dex file.\r\nSecond Stage: dex file\r\nTeaBot dropper employs sophisticated evasion techniques to avoid detection. One such technique involves the\r\ndynamic downloading of a secondary executable as a dex file from a dedicated C2 server. By adopting this\r\nmodular approach, TAs can dynamically rotate the payload contained within the dex file, enhancing their ability to\r\nevade detection by security measures. In fact, during this campaign, from February 9th to 19th, 2024, the malware\r\ndownloaded multiple dex with minor modifications.\r\nThe purpose of the additional code within the dex file is to conduct further checks on the user’s device,\r\nspecifically:\r\nVerify if the device is an emulator by examining various information such as model, manufacturer, etc.\r\nChecking whether the ISO-3166-1 country code of the current registered operator corresponds to specific\r\ncountries, including:\r\nes: Spain\r\nsk: Slovakia\r\ncz: Czech Republic\r\nru: Russia\r\nhr: Croatia\r\nsi: Slovenia\r\nsl: Sierra Leone\r\nbg: Bulgaria\r\nee: Estonia\r\nfi: Finland\r\nie: Ireland\r\ngb: United Kingdom (Great Britain)\r\nAn interesting aspect concerning the targeted countries is that Russia and CIS regions are typically excluded\r\nduring the installation phases in multiple malware campaigns. However, in the case of this TeaBot campaign,\r\nRussia stands out as one of the targets\r\nhttps://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store\r\nPage 4 of 8\n\nFigure 7 - Multiple checks used before downloading the TeaBot banking trojan\r\nIf the user device passes the checks mentioned above, a new application (APK file) is downloaded onto the\r\ndevice. To accomplish this, TAs employ a well-established strategy that shows a fake request update, deceiving\r\nthe user:\r\nhttps://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store\r\nPage 5 of 8\n\nFigure 8 - Fake update messages used by the dropper to download TeaBot\r\nThird Stage: APK file\r\nThe last step in the infection is to download the actual TeaBot APK (1.apk). However, although there are several\r\nsuspicious permissions within the AndroidManifest.xml file, including the notorious AccessibilityServices, there\r\nare no accessibility abuse functions in the code. This is due to the fact that the app unpacked a file in the asset\r\ndirectory (called ‘rvkcc1.on’) containing all the malicious features of the banking trojan TeaBot.\r\nFigure 9 - Some of the deobfuscated strings\r\nhttps://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store\r\nPage 6 of 8\n\nOnce the rvkcc1.on file is unpacked to a dex file, the code is imported into the app, and the dex is removed from\r\nthe app directory. At this point, the malware is installed, and as usual, it requests the Accessibility permissions\r\nduring the installation phases to obtain complete control of the infected device.\r\nFigure 10 - Installation phases of TeaBot\r\nAn interesting fact about this recent sample of TeaBot is the introduction of code dedicated to the Revolut banking\r\napplication. Specifically, if the victim has installed the Revolut app, the malware can use accessibility features to\r\nretrieve the Revolut app and the victim's balance, as shown:\r\nFigure 11 - Snippet of code used to retrieve Revolut app information\r\nConclusions\r\nTeaBot was discovered back in January 2021 by the Cleafy Threat Intelligence and Incident Response team as an\r\nemerging threat since it appears to be in its early stages of development, according to some irregularities found\r\nduring our initial analysis.\r\nDuring the last few years, we noticed constant updates behind this threat, including new targets, new evasion\r\ntechniques, and supporting new languages, including Russian, Slovak, and Mandarin Chinese.\r\nhttps://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store\r\nPage 7 of 8\n\nThis last investigation aims to show how the TAs behind TeaBot are still improving their techniques to remain\r\nundetected and maximise their efficiency, refining advanced evasion techniques and leveraging the official Google\r\nPlay store as the favourite distribution method.\r\nAdditionally, it is noteworthy to mention a peculiar aspect uncovered during our investigations: the potential\r\ntargeting of Russian citizens in the TeaBot campaign. This finding is based on the configurations extracted from\r\nthis last research. It is worth noting that, in banking fraud, botnets and within much of the underground forum\r\ncommunity, countries within the Commonwealth of Independent States (CIS) are typically excluded a priori. This\r\nexclusion is often enforced through specific techniques embedded within the malware's source code. Including\r\nRussian targets in this TeaBot campaign deviates from this norm, suggesting a potentially expanded scope of\r\noperation or a strategic shift in targeting priorities by the TAs behind the threat.\r\nRelated works\r\nTeaBot: a new Android malware emerged in Italy, targets banks in Europe (May 2021) - link\r\nTeaBot is now spreading across the globe (March 2022) - link\r\nAppendix 1: list of IoCs\r\nIoC Description\r\na325ba7810b0791d2c6c4757ae4fe074 Md5 - Dropper\r\ncom.tragisoap.fileandpdfmanager Package name - Dropper\r\n6a108e97eb659eded211f25eb6649989 MD5 - dex file (cortina)\r\nhttps://befukiv.]com Dropper server\r\n17deac9f87fedb65c323f13beaa6a1ce MD5 - TeaBot (1.apk)\r\n185.215.113.]31 TeaBot C2 server\r\n91.215.85.]55 TeaBot C2 server\r\nSource: https://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store\r\nhttps://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store"
	],
	"report_names": [
		"a-stealthy-threat-uncovered-teabot-on-google-play-store"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434100,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ece87a5beb1332423fc3d09fc31a794cb0de3174.pdf",
		"text": "https://archive.orkl.eu/ece87a5beb1332423fc3d09fc31a794cb0de3174.txt",
		"img": "https://archive.orkl.eu/ece87a5beb1332423fc3d09fc31a794cb0de3174.jpg"
	}
}