From Hispasec they have echoed the detection of a new banking malware on Android, belonging to what appears to be a previously unidentified family, after being analyzed in VirusTotal, Koodous and by Hispasec’s own team.
The malware comes in an APK file called TeaTV. TeaTV is a service to watch series and television online without a license, and in this case, the application is false, since it is not the official one of the service. The file was capable of install an accessibility service on the phone to monitor all phone activity, in order to detect the opening of banking applications.
If you have installed an app called TeaTV.apk, it should be deleted immediately
According to Hispasec, the new malware appears to be from a new family. It is a banking Trojan, although it follows the usual strategy of this type of malware when trying to steal data. This malware take advantage of Android accessibility permissions, which requests nothing else to install. After giving accessibility permissions, the malware is able to detect button presses, changes in text fields and others on our phone. What do they get out of this?
As soon as we interact with any element of the interface of our device, the malware receives information associated with it: in other words, you can know when we have opened a banking application.
"teatv.apk": 638f5a51aca3308e00418dc119a481feb0f72b04041a9a7fafce8587b74f62da pic.twitter.com/OwvSiuwoPo
— MalwareHunterTeam (@malwrhunterteam) January 7, 2021
If it detects that we have opened it, automatically open a web view with a phishing form, to get hold of our login credentials. In addition to injecting phishing, the malware sends information about the accessibility events it collects, to keep track of phone activity.
The application, as we indicated, is a fake APK, that is, it does not really belong to TeaTV. If we go to the service page, we see that the APK we downloaded is called teatv _ release _ 310.apk, that is, the file name and version. The infected APK is teatv.apk, a copy of the original app, but with malware.