New 'TCLBanker' Android malware spreads itself by hijacking WhatsApp and Outlook to message every contact in the victim's address book

Researchers disclosed TCLBANKER, an Android banking trojan that adds worm-style self-propagation: once installed, it abuses Accessibility Services to read the victim's WhatsApp and Outlook contact lists and then send malicious download links to every contact as if from the victim. The malware targets banking and crypto-wallet apps with overlay screens that capture credentials, plus SMS-interception modules that grab one-time passcodes. Self-spreading via the victim's own messaging history defeats traditional URL-reputation controls. The campaign concentrates in Brazil, Spain, and Italy banking apps initially. Operators are renting access on Telegram for $1,500-3,000/month.

Check

Brief staff who manage Android devices that any 'app download' link sent through WhatsApp or Outlook from a known contact during business hours should be verified out-of-band before clicking. Review unfamiliar Android apps requesting Accessibility Services.

Affected

Android users in Brazil, Spain, and Italy initially - but worm-style spread will broaden the geography rapidly. Acute risk: anyone whose phone has Accessibility Services enabled for any third-party app. Banking and cryptocurrency app users face credential theft via overlay attacks. Contact networks of infected users get the lures next.

Fix

On managed Android devices: enforce MDM policies that block sideloading and require approval for any app requesting Accessibility Services. Disable Accessibility Services for apps that don't genuinely need it. Brief staff on the worm-spread pattern: contacts sending links to download apps is a hostile signal regardless of who the sender is.