Criminals have managed to successfully hide a banking Trojan on the Google Play Store, possibly infecting thousands of devices in an attempt to steal identities and two-factor authentication codes.
A new report from security firm Cleafy found thatTeaBot banking trojan, sometimes referred to as Anatsa, or Toddler, was being distributed as a second-stage payload from a seemingly legitimate app.
The team found it was being distributed as an update to a non-malicious, fully functioning app called “QR Code & Barcode – Scanner”. The app works as intended – scans barcodes and QR codes properly, and as such, has received numerous positive reviews on the Play Store.
Delivering the payload
However, as soon as it’s installed, it requests permission to download a second application, called “QR Code Scanner: Add-On” which, according to the publication, includes “multiple TeaBot samples”.
The app has had more than 10,000 downloads before being discovered for what it truly was, and being removed from the app store.
When a victim downloads the “add-on”, TeaBot will ask for permissions to view and control the endpoint’s screen, and if granted – will use the power to pull login credentials, SMS messages, or two-factor authentication codes. It also gains access to record keystrokes, by abusing Android accessibility services.
“Since the dropper application distributed on the official Google Play Store requests only a few permissions and the malicious app is downloaded at a later time, it is able to get confused among legitimate applications and it is almost undetectable by common antivirus solutions,” Cleafy said.
While Google did not comment on the findings, it did remove the app from the store.
TeaBot was first spotted in May last year, when it targeted European banks by stealing two-factor codes sent via SMS. This time around, Cleafy says, it targets users in Russia, Hong Kong, and the US.