By hiding trojans in software upgrades, malicious Google Play apps have gotten beyond restrictions.

According to Cleafy researchers, the TeaBot banking trojan – also known as “Anatsa” – has been identified on the Google Play store.

Users of “more than 400 banking and financial apps, including those from Russia, China, and the United States,” according to the study, were impacted by the malware, which was designed to intercept SMS messages and login credentials from unwary users.

TeaBot isn’t the first time Android customers have been scared by the app.

Last year, TeaBot was discovered. It’s a simple piece of malware that steals banking, contact, SMS, and other confidential information from affected devices. The sophisticated methods by which it spreads are what distinguishes it and gives it such lasting power.

TeaBot does not require the use of a malicious email or text message, a phoney website, or a third-party service. Rather, it’s usually packaged as a dropper application. Droppers are programmes that appear to be normal on the surface but serve as vehicles for delivering a second-stage harmful payload.

TeaBot droppers have masqueraded as regular QR code or PDF readers. Attackers “usually stick to utility apps like QR code scanners, flashlights, photo filters, or PDF scanners because these are apps that people download out of necessity and likely won’t put as much time into looking at reviews that might influence their decision to download,” according to Hank Schless, senior manager of security solutions at Lookout, via email.

This strategy looks to be working. For a little over a month in January, a programme named QR Code Reader – Scanner App was distributing 17 different Teabot variations. By the time it was detected, it had amassed over 100,000 downloads.

Other TeaBot droppers have been bundled under a variety of names, including QR Scanner 2021, PDF Document Scanner, and CryptoTracker, as identified by Dutch security firm ThreatFabric last November. According to security firm Cleafy, the most recent was QR Code & Barcode – Scanner.

-Why is TeaBot unstoppable?
Anti-malware standards and procedures are in place in app shops. For example, Google Play Protect helps prevent dangerous apps from being loaded and monitors for evidence of wrongdoing on a daily basis.

TeaBot droppers, on the other hand, do not appear to be malevolent. On the surface, they may appear to be completely uninteresting.

When a consumer launches one of these unassuming programmes, they are urged to upgrade their software. In reality, the update is a second app with a harmful payload.

The infection process begins when the user allows their app to install software from an unknown source. TeaBot, like other Android viruses, tries to take advantage of Accessibility Services. Such attacks make use of a sophisticated remote access feature that takes use of the TeamViewer application — a remote access and desktop sharing tool – to give the malware’s bad actor remote control over the victim’s devices.

The ultimate purpose of these assaults, according to the research, is to collect sensitive information from the device’s screen, such as login passwords, SMS and 2FA codes, as well as to do malicious operations on the device.

-Here’s How You Can Stop TeaBot
TeaBot assaults have become increasingly common. “The number of apps targeted by TeaBot has expanded more than 500 percent in less than a year, increasing from 60 targets to over 400,” Cleafy said.

-Is there anything that can be done to put a stop to it?

Shawn Smith, director of infrastructure at nVisium, told Threatpost via email on Wednesday that “real-time scanning of app downloads – even if the app doesn’t originate from Google Play – would help to mitigate this issue,” adding that “additional warning messages when installing app add-ons that aren’t on Google Play could be useful, too.”

“Google could be implementing checks on permissive permissions for programmes to execute, acquiring lists of certain hardcoded public IPs and domain names,” Leo Pate, managing consultant at nVisium, told Threatpost via email on Wednesday. Then [Google] may check them against a variety of databases to see if they’re ‘bad.'”

Users must remain vigilant until app shops fix the dropper vulnerability, according to Schless. “Everyone understands the need of having antivirus and anti-malware software on their PCs, and our mobile devices should be no different.”

Log4j Exploit: Lessons Learned and Risk Reduction Best Practices is a LIVE Threatpost event scheduled for Thursday, March 10 at 2 p.m. ET. Join Justin Young, a code specialist from Sonatype, as he teaches you how to improve your code-hunting abilities and reduce attacker dwell time. Learn why Log4j is still risky and how software supply-chain security is affected by SBOMs. Sonatype is sponsoring this one-time FREE event. Register now.

Chat WhatsApp