New Android Malware Called ‘TeaBot’ Is Spreading in Europe

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

A team of researchers at Cleafy has discovered a new Android banking trojan which they call ‘TeaBot,’ and which has been spreading across European countries since January 2021. The goal of the malware is to steal user credentials and SMS messages and use them both for taking over banking accounts. According to the report, over 60 European banks are targeted, but the biggest volume of distribution is seen in Spain, Germany, Italy, Belgium, and the Netherlands. That’s in line with Flubot, but the researchers clarify that this is a novel malware.

The malware is being under active development and is gradually adding more banks and countries. For example, Italian banks were added in March, while Belgium and Netherlands were added as targeted countries at the beginning of May. This means the particular piece of malware may soon find its way to countries outside Europe, possibly the United States and the United Kingdom, two big “victim pools” that are currently missing.

Source: Cleafy

The abilities of TeaBot include the following:

These are achieved by ensuring the granting of the following permissions upon installation:

Source: Cleafy

After installation:

Observe actions
Retrieve window content
Perform arbitrary gestures (ignore battery optimizations)

As for what app icons are used by TeaBot as a method of hiding from the user, these include TeaTV, VLC MediaPlayer, DHL, and UPS. It goes without saying that the authors may update this set and use other apps for imitation, so you should remain vigilant even if you don’t have any of these four on your app drawer. After all, the malware is removing its icon from the device once it is granted the requested permissions.

Source: Cleafy

In terms of the TeaBot communications with the C2, the malware is sending POST and GET requests every 10 seconds, and the former is encrypted with the XOR algorithm. The researchers believe that TeaBot is configured for real-time interaction with the compromised device, that’s why the requests are so frequent.

Source: Cleafy

To protect yourself against these threats, only download software from trustworthy and reputable sources, use Google Play, review the requested permissions carefully before granting, and use a mobile security solution. In this case, installing a media player like VLC shouldn’t be accompanied by requests to send SMS messages, reading the contacts list, or use biometric sensors.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: