A new report from security firm Cleafy found thatTeaBot banking trojan, sometimes referred to as Anatsa, or Toddler, was being distributed as a second-stage payload from a seemingly legitimate app.
The team found it was being distributed as an update to a non-malicious, fully functioning app called “QR Code & Barcode - Scanner”. The app works as intended - scans barcodes and QR codes properly, and as such, has received numerous positive reviews on the Play Store.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
Delivering the payload
However, as soon as it’s installed, it requests permission to download a second application, called “QR Code Scanner: Add-On” which, according to the publication, includes “multiple TeaBot samples”.
The app has had more than 10,000 downloads before being discovered for what it truly was, and being removed from the app store.
When a victim downloads the “add-on”, TeaBot will ask for permissions to view and control the endpoint’s screen, and if granted - will use the power to pull login credentials, SMS messages, or two-factor authentication codes. It also gains access to record keystrokes, by abusing Android accessibility services.
“Since the dropper application distributed on the official Google Play Store requests only a few permissions and the malicious app is downloaded at a later time, it is able to get confused among legitimate applications and it is almost undetectable by common antivirus solutions,” Cleafy said.
While Google did not comment on the findings, it did remove the app from the store.
TeaBot was first spotted in May last year, when it targeted European banks by stealing two-factor codes sent via SMS. This time around, Cleafy says, it targets users in Russia, Hong Kong, and the US.
- Here's our rundown of the best malware removal software available today
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.