Toddler mobile banking malware surges across Europe

The Android malware is a new and persistent threat to European citizens and banks alike.
Written by Charlie Osborne, Contributing Writer

Researchers have provided a deep dive into Toddler, a new Android banking Trojan that is surging across Europe. 

In a report shared with ZDNet, the PRODAFT Threat Intelligence (PTI) team said that the malware, also known as TeaBot/Anatsa, is part of a rising trend of mobile banking malware attacking countries, including Spain, Germany, Switzerland, and the Netherlands.

Toddler was first disclosed by Cleafy following its discovery in January. While still under active development, the mobile Trojan has been used in attacks against the customers of 60 European banks.  

In June, Bitdefender said that Spain and Italy were infection hotspots, although the UK, France, Belgium, Australia, and the Netherlands were also being targeted.

According to PTI, in an analysis of the malware this year, Spain has secured the top spot for cyberattacks. So far, at least 7 632 mobile devices have been infected. 

After infiltrating a command-and-control (C2) server used by the Trojan's operators, the researchers also found over 1000 sets of stolen banking credentials. 

Although researchers from multiple organizations have tracked Toddler to malicious .APK files and Android apps, infection vectors vary. While the Trojan has not -- as of now -- been found on Google Play, numerous legitimate websites have been compromised to host and serve the malware.  

While Toddler is pre-configured to target the users of "dozens" of banks across Europe, the company has found that 100% of infections detected, so far, relate to only 18 financial organizations. In total, five of the companies accounted for close to 90% of attacks -- which the team believes may indicate a successful SMS-based phishing campaign. 

Toddler is run-of-the-mill Trojan software in many ways. It contains the functions you would typically expect: the ability to steal data, including banking details, keylogging, taking screenshots, intercepting two-factor authentication (2FA) codes, SMS interception, and connecting to a C2 to transfer information, accept commands, and link the infected device to a botnet. 

The Trojan will use overlay attacks to dupe victims into submitting their EU bank credentials by displaying fake login screens. Upon installation, the malware monitors what legitimate apps are being opened -- and once target software is launched, the overlay attack begins.

"Toddler downloads the specially-crafted login page for the opened target application from its C2," PRODAFT noted. "The downloaded webview phishing page is then laid over the target application. The user suspects nothing because this event happens almost instantaneously when the legitimate application is opened."

The malware will also attempt to steal other account records too, such as those used to access cryptocurrency wallets. 

The C2's command list includes activating an infected device's screen, prompting permission requests, changing volume levels, attempting to grab codes from Google Authenticator via Accessibility, and uninstalling apps. 

The level of persistence this Trojan is able to maintain is unusual. Toddler contains multiple persistence mechanisms -- the most notable of which is preventing an infected device from being rebooted by abusing Accessibility functions. 

Toddler can also prevent a handset from being used in safe mode.

"Toddler sets a new precedent for persistence module implementation," the researchers say. "Removal of the malware from the device requires huge technical expertise, and it looks like the process will not get easier in the future."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards