White Hat Institute

Thousands of people have downloaded this data-stealing Android app

data-stealing Android app
Retrieved from pplware.sapo.pt

In an effort to seize identities and two-factor authentication tokens, cybercriminals have effectively hidden a banking Trojan on the Google Play Store, potentially compromising thousands of devices. The TeaBot banking trojan, also known as Anatsa or Toddler, was discovered as a second-stage payload from a potentially valid app, according to a recent analysis from security firm Cleafy.

It was discovered that it was being delivered as an update to a fully functional, non-malicious app called “QR Code & Barcode — Scanner.” The software does what it’s supposed to do — scans barcodes and QR codes correctly — and as a result, it’s received a lot of favorable feedback on the Play Store.

qr code & barcode scanner app
Retrieved from pplware.sapo.pt

However, after it’s loaded, it asks for permission to download a second software called “QR Code Scanner: Add-On,” which includes “many TeaBot samples,” according to the publication. Before it was identified for what it really was and banned from the app store, the app had over 10,000 downloads.

TeaBot will seek access to view and control the endpoint’s screen when a victim downloads the “add-on,” and if allowed, will use that authority to retrieve login credentials, SMS messages, or two-factor authentication tokens. By abusing Android accessibility APIs, it also acquires access to capture keystrokes.

“Because the dropper software released on the official Google Play Store only asks for a few permissions and the malicious program is downloaded later,” Cleafy explained, “it is able to get mistaken among legal apps and is nearly undetectable by typical antivirus solutions.”

Although Google has not commented on the findings, the app has been removed from the Google Play store.

TeaBot was first discovered in May of last year when it was discovered stealing two-factor codes provided by SMS from European banks. Cleafy claims that this time it is aimed at users in Russia, Hong Kong, and the United States.