This data-stealing Android app has been downloaded thousands of times
Criminals have successfully concealed a banking Trojan on the Google Play Store, possibly infecting thousands of devices in an attempt to steal identities and two-factor authentication codes.
A new report from security firm Cleafy has revealed that the TeaBot banking trojan, sometimes referred to as Anatsa or Toddler, was being distributed as a second-stage payload from an apparently legitimate application.
The team discovered that it was distributed as an update to a non-malicious and fully functional application called “QR Code & Barcode – Scanner”. The app works as expected – scans barcodes and QR codes correctly and as such has received many positive reviews on the Play Store.
However, as soon as it’s installed, it asks for permission to download a second app, called “QR Code Scanner: Add-On” which the post says includes “several TeaBot samples.”
The app was downloaded over 10,000 times before being discovered for what it really was and being removed from the App Store.
When a victim downloads the “add-on”, TeaBot will request permissions to view and control the endpoint screen and, if granted, will use the power to extract login credentials, SMS messages or codes two-factor authentication. It also accesses keystroke logging by abusing Android accessibility services.
“Since the dropper app distributed on the official Google Play Store only asks for a few permissions and the malicious app is downloaded later, it can get confused with the legitimate apps and it is almost undetectable by common anti-virus solutions”, Cleafy said. .
Although Google did not comment on the results, it removed the app from the store.
TeaBot was first spotted in May last year when it targeted European banks by stealing two-factor codes sent via text message. This time around, Cleafy says, it’s targeting users in Russia, Hong Kong and the United States.