While there are millions of useful Android apps and games in the Google Play store, there are also malicious apps that pose a privacy threat to users. A new malicious app has been discovered. The app can carry a new banking Trojan called “TeaBot” designed to steal sensitive user data such as Android smartphone passwords, bank credentials and text messages. Let’s take a closer look at the details below.
TeaBot banking Trojan found in QR code app
TeaBot Banking Trojan.alias Toddler and AnnassaWas first discovered in May 2021. At that time, I targeted a European bank and stole a two-factor authentication (2FA) code sent by text message. However, according to reports from malware and online fraud prevention platform Cleafy, malware has evolved and is now Russia, Hong Kong, and the United States..
According to the report Named Android app “QR Code and Barcode-Scanner” was the latest TeaBot-equipped app on the Google Play store. There have been more than 10,000 downloads. The app looked legitimate at first glance, but after the download I asked for permission to download the second “QR Coder Scanner: Add On” application, which includes the TeaBot sample.
When the second app is installed, Requested permissions to view and control the screen of the device To obtain sensitive user data such as SMS, login credentials, 2FA code, etc. In addition, Trojan horses, like other bank malware, also recorded user keyboard entries to retrieve sensitive information.
QR Codes and Barcodes – Most of the user reviews were positive because the scanner app looked legitimate. In addition, the app downloaded the TeaBot Trojan as an in-app update, so “Almost undetectable” By many antivirus solutions for Android.
“Dropper applications distributed on the official Google Play store require very little permission, and malicious apps are downloaded later, which can be confusing between legitimate applications and is a common antivirus. It is rarely detected by the solution. ” Cleafy researchers wrote in the report.
Previously, TeaBot Trojans were distributed via SMS phishing campaigns by seducing users with popular Android apps such as VLC Media Player, TeaTV, DHL and UPS. These apps acted as “droppers” for malicious TeaBot Trojans. In short, these apps looked like legitimate apps, but delivered a second-stage malicious payload installed on the device of the user using the app.
While QR Codes and Barcodes-Scanners have already been removed From Google’s Play Store, Cleafy states that TeaBot is currently targeting over 400 Android apps. These include crypto wallets, insurance apps and home banking apps. Therefore, be aware of the TeaBot Trojan in the Google Play Store, especially if you are using Android users in Hong Kong, Russia, or the United States.