Toddler Mobile Banking Botnet: Analysis Report

Starting from the second half of 2020, PRODAFT Threat Intelligence ("PTI") team witnessed a rising trend of mobile banking malware attacks against European countries; primarily targeting customers of banking institutions based in Spain, Germany, Switzerland, and the Netherlands. Toddler is considered an important example of this trend in terms of its technical features and operational chain.

This report presents a behind-the-scenes analysis of this newly emerging Android malware, also known as Teabot or Anatsa.

At the time of the analysis, Toddler largely targets Spain, but the malware sample contains textual content for targeting Spanish, English, Italian, German, French, and Dutch-speaking users.

The PTI team has de-anonymized the C&C server and discovered that Toddler has already infected more than 7,632 devices at the time of this report.

Apart from our detailed technical analysis, statistics and observations from the main C&C panel are also provided in detail.

Download Report