The trojan then attempts to intercept SMS messages and aborts the new SMSReceived broadcast to the victim as per the bot command “logged_sms” as shown in Figure 8.
Figure 7: The logcat image shows the eepHM.odex file execution at runtime Once the permissions are granted, this malicious apk decrypts the malicious payload file called eepHM.json from the app’s assets folder to an executable dex format named ‘eepHM.odex’ and loads the decrypted file as shown in Figure 7. Figure 6: Request for accessibility service Once the Teabot malware is installed on the device, the app downloads itself as a QR-Code Scanner: Add-On which frequently brings up the Accessibility Service setting option on the device, as shown in Figure 6, until the user allows this app to have the Accessibility Service enabled.
Figure 5: Malicious APK downloaded from GitHub In this blog, we will be analyzing the package “” corresponding to the main.apk which has been downloaded from the above mentioned GitHub repository as shown in Figure 5. Figure 4: GitHub repository where the malware sample was hosted Figure 3: ADB Logcat shows malware sample download URLįigure 4 shows the repository was created by mattiebryan4570, at the time of writing this blog the GitHub repository was still live. When the user clicks on the “Update” message this application downloads and installs the malicious Teabot Banking Trojan “main.apk” as shown in Figure 2.įrom the ADB Logcat report we noticed that the malware file “main.apk” gets downloaded from a GitHub repository as shown in Figure 3.
Once launched, this app requests the user to update itself via a popup message as shown in Figure 2. Figure 1: QR Code & BarCode Scanner from Google Play Store The main infection vector of Teabot was found on the official Google Play Store where it posed as QR Code & BarCode Scanner app with 10,000+ downloads as shown in Figure 1. We at K7 Labs recently came across this twitter post about Teabot (aka ‘Anatsa’) a banking Trojan.
0 kommentar(er)
