While the Google Play Store is home to millions of useful Android apps and games, it somehow has malicious apps too, which have posed a privacy threat to users. A new malicious app has now been discovered, which can carry a new banking trojan dubbed “TeaBot,” designed to steal sensitive user data like passwords, bank credentials, and text messages on your Android phone. Let’s take a closer look at the details below.
TeaBot Banking Trojan Discovered in QR Code App
The TeaBot banking trojan, also known as Toddler and Anatsa, was first discovered back in May 2021. At that time, it targeted European banks and stole two-factor authentication (2FA) codes sent by text messages. However, a report from malware and online fraud prevention platform Cleafy now states that the malware has evolved and is now being used to target users in Russia, Hong Kong, and the USA.
As per the report, the Android app named “QR Code & Barcode – Scanner” was the latest TeaBot-laden app in the Google Play Store that had more than 10,000 downloads. While the app looked legitimate at first glance, it asked for permission to download a second “QR Coder Scanner: Add On” application, which included the TeaBot samples after it is downloaded.
Once the second app was installed, it asked for permissions to view and control the device’s screen to gain sensitive user data such as SMS, login credentials, and 2FA codes. Moreover, the trojan also recorded keyboard entries of the user, much like other banking malware, to retrieve sensitive information.
As the QR Code & Barcode – Scanner app looked legitimate, most of the user reviews were positive. Additionally, the app downloaded the TeaBot trojan as an in-app update, and hence, remained “almost undetectable” by many antivirus solutions for Android.
“Since the dropper application distributed on the official Google Play Store requests only a few permissions and the malicious app is downloaded at a later time, it is able to get confused among legitimate applications and it is almost undetectable by common antivirus solutions,” the Cleafy researchers wrote in the report.
Previously, the TeaBot trojan was distributed via SMS phishing campaigns by luring users with popular Android apps such as VLC Media Player, TeaTV, DHL, or UPS. These apps acted as a “dropper” for the malicious TeaBot trojan, which means that they appeared to be legit apps but delivered a second-stage malicious payload installed TeaBot on users’ devices using the apps.
While the QR Code & Barcode – Scanner has already been removed from the Play Store by Google, Cleafy mentions that TeaBot is now targetting 400+ Android apps. These include crypto wallets, insurance apps, and home banking apps. So, if you are an Android user, especially in Hong Kong, Russia, or the USA, beware of the TeaBot trojan in the Google Play Store!