Security News > 2022 > March > TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps

An Android banking trojan designed to steal credentials and SMS messages has been observed sneaking past Google Play Store protections to target users of more than 400 banking and financial apps from Russia, China, and the U.S. "TeaBot RAT capabilities are achieved via the device screen's live streaming plus the abuse of Accessibility Services for remote interaction and key-logging," Cleafy researchers said in a report.
Also known by the name Anatsa, TeaBot first emerged in May 2021, camouflaging its malicious functions by posing as seemingly innocuous PDF document and QR code scanner apps that are distributed via the official Google Play Store instead of third-party apps stores or via fraudulent websites.
Then earlier this January, Bitdefender researchers identified TeaBot lurking in the official Android app marketplace as a "QR Code Reader - Scanner App," gaining more than 100,000 downloads within a span of a month before it was taken down.
The latest version of TeaBot dropper spotted by Cleafy on February 21, 2022, is also a QR code reader app named "QR Code & Barcode - Scanner" which has been downloaded roughly 10,000 times from the Play Store.
Once installed the modus operandi is the same: prompt users to accept a fake add-on update, which, in turn, leads to the installation of a second app hosted on GitHub that actually contains the TeaBot malware.
"In less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400," the researchers said, adding the malware now strikes several apps related to personal banking, insurance, crypto wallets, and crypto exchanges.
News URL
https://thehackernews.com/2022/03/teabot-android-banking-malware-spreads.html
Related news
- SpyLend Android malware downloaded 100,000 times from Google Play (source)
- Week in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play (source)
- New North Korean Android spyware slips onto Google Play (source)
- Malicious Android 'Vapor' apps on Google Play installed 60 million times (source)
- Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking (source)
- Google Confirms Android SafetyCore Enables AI-Powered On-Device Content Classification (source)
- Vo1d malware botnet grows to 1.6 million Android TVs worldwide (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- How Google tracks Android device users before they've even opened an app (source)
- Google fixes Android zero-day exploited by Serbian authorities (source)