A well-known Android banking trojan developed to steal user data, such as passwords and text messages, has been located in Google Play Store and has been downloaded thousands of times. The TeaBot data-stealing app, also known as Anatsa and Toddler, was first marked in May 2021 targeting European banks by stealing two-factor authentication codes sent by text message.
Google Play Store Found with a Malicious Data-Stealing App
A recent report from Cleafy, online fraud surveillance, and prevention solution, now states that the data-stealing app has evolved to include distribution via a second-stage malicious payload and is now targeting users in Russia, Hong Kong, and the United States.
Cleafy declares that while the data-stealing app was formerly distributed through SMS-based phishing campaigns using several common apps as lures, such as TeaTV, VLC Media Player, and shipping apps like DHL and UPS, its investigators say the malicious Google Play Store app was acting as a “dropper” to supply TeaBot by way of a fake in-app update. Droppers are apps that seem legitimate but produce a second-stage malicious payload.
The app, “QR Code & Barcode – Scanner,” since removed, managed to pull in more than 10,000 downloads by the time it was located. But because the app presents the promised functionality, almost all of the app’s reviews are optimistic. Although the app looks legitimate, it instantly requests permission to download a second application, “QR Code Scanner: Add-On,” which includes multiple TeaBot samples.
The Malicious Malware Retrieves Sensitive Information from Devices
Once installed, the data-stealing app asks for permissions to view and manage the device’s screen to retrieve sensitive information such as login credentials, SMS messages, and two-factor codes. It also manipulates Android’s accessibility service, similar to other adversarial Android apps, to request approvals that permit the malware to record keyboard entries.
“Since the dropper application distributed on the official Google Play Store requests only a few permissions and the malicious app is downloaded at a later time, it can get confused among legitimate applications and is almost undetectable by common antivirus solutions,” Cleafy warns.