A new cyberthreat has emerged in Europe impacting banks and private citizens.

A new form of Android-focused banking malware is spreading across the continent, dubbed Toddler by cybersecurity analysts.

Expert researchers have now released their findings after an in-depth investigation of the prevalent Trojan Horse-style malware.

The report reveals rising risks from banking malware

In a recent report, the specialist team at PRODAFT Threat Intelligence (PTI) stated that the Toddler malware, also referred to as TeaBot and Anatsa, is another part of a flurry of mobile-based banking malware attacks in Europe launched within countries such as the Netherlands, Spain, Switzerland, and Germany.

The banking Trojan was initially disclosed by online fraud experts at Cleafy back in January when it was uncovered. Although the malware is still under development, it has since been utilised in targeted attacks on the users of 60 banks across Europe.

Last month in June, the Romanian cybersecurity firm Bitdefender commented that both Italy and Spain were hotspots for the malware infection, although France, the UK, the Netherlands and Belgium had also been targeted.

PTI analysis regarding the malware in 2021 shows that Spain has chalked up more cyberattacks, with around 7,632 personal devices successfully infected by threat operators.

After they infiltrated a command-and-control server employed by the Trojan’s masters, the researchers at PTI also unearthed over 1,000 sets of private banking credentials that had been stolen.

While cybersecurity teams from multiple organisations have been able to track Trojan to malicious Android applications and. APK files, the infection vectors used vary greatly. Although Toddler has not yet been identified on Google Play, many legitimate sites were compromised so they could be manipulated into hosting and serving the malware strain.

Analysis of a Trojan Horse

Although Toddler has been pre-configured so that it targets the European banks’ users, PTI’s research discovered that 100% of the infections detected to date relate to a total of 18 financial organisations. Five of these entities accounted for approximately 90% of the attacks deployed, which the researchers believe may be an indication of a successful campaign using “smishing” (SMS phishing).

PTI commented on the Trojan’s execution and impact:

“Toddler downloads the specially-crafted login page for the opened target application from its C2 (command and control server) ” The downloaded webview phishing page is then laid over the target application. The user suspects nothing because this event happens almost instantaneously when the legitimate application is opened. Toddler sets a new precedent for persistence module implementation. Removal of the malware from the device requires huge technical expertise, and it looks like the process will not get easier in the future.”

In many ways, Toddler is standard Trojan software. It includes the functions typically associated with this form of malware and has been designed to steal personal information and banking details, can take screenshots, intercept two-factor authentication methods and other SMS communications, and is capable of keylogging. It can also connect to a command-and-control server to receive and accept orders, transfer stolen information and link an infected user device to an established botnet.