Cybercriminals have successfully managed to hide a banking Trojan on the Google Play Store, which has probably infected thousands of devices with the aim of stealing identities and two-factor authentication codes.
A new report from security firm Cleafy has found that the TeaBot banking trojan, also called Anatsa or Toddler at some points, was deployed as a second-stage payload from an apparently legitimate app.
The team found that it was distributed as an update to a non-malicious application called “QR Code & Barcode – Scanner” which does its launch perfectly. The app works as intended, i.e. it scans barcodes and QR codes accurately, thanks to which it has received a lot of positive reviews on the Play Store.
But as soon as the app is installed, the report says, it asks for permission to download a second app called “QR Code Scanner: Add-On” which contains “multiple TeaBot samples”.
The app was downloaded more than 10,000 times before it was discovered for what it really was and removed from the app store.
When a victim downloads the “add-on” (Add-On), TeaBot requests permissions to view and control the endpoint’s screen and, if allowed, receives login credentials, SMS messages, or two-factor authentication codes. It also provides access to record keystrokes by abusing Android accessibility services.
“Since the app distributed on the official Google Play Store only asks for a few permissions and the malicious app is downloaded later, it can be confused between legitimate apps and is almost undetectable by common antivirus solutions,” says Cleafy.
Google did not comment on the findings, but removed the app from the store.
TeaBot was first spotted in May last year when it targeted European banks by stealing two-factor codes sent via SMS. Cleafy says it’s targeting users in Russia, Hong Kong and the US this time around.
55286
