This data-stealing Android app has been downloaded thousands of times

app security
(Image credit:

Criminals have managed to successfully hide a banking Trojan on the Google Play Store, possibly infecting thousands of devices in an attempt to steal identities and two-factor authentication codes.

A new report from security firm Cleafy found thatTeaBot banking trojan, sometimes referred to as Anatsa, or Toddler, was being distributed as a second-stage payload from a seemingly legitimate app. 

The team found it was being distributed as an update to a non-malicious, fully functioning app called “QR Code & Barcode - Scanner”. The app works as intended - scans barcodes and QR codes properly, and as such, has received numerous positive reviews on the Play Store.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Delivering the payload

However, as soon as it’s installed, it requests permission to download a second application, called “QR Code Scanner: Add-On” which, according to the publication, includes “multiple TeaBot samples”.

The app has had more than 10,000 downloads before being discovered for what it truly was, and being removed from the app store.

When a victim downloads the “add-on”, TeaBot will ask for permissions to view and control the endpoint’s screen, and if granted - will use the power to pull login credentials, SMS messages, or two-factor authentication codes. It also gains access to record keystrokes, by abusing Android accessibility services.

“Since the dropper application distributed on the official Google Play Store requests only a few permissions and the malicious app is downloaded at a later time, it is able to get confused among legitimate applications and it is almost undetectable by common antivirus solutions,” Cleafy said.

While Google did not comment on the findings, it did remove the app from the store.

TeaBot was first spotted in May last year, when it targeted European banks by stealing two-factor codes sent via SMS. This time around, Cleafy says, it targets users in Russia, Hong Kong, and the US.

Via: TechCrunch

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.