TeaBot malware now targets US users by spreading via Google Play Store

Android banking trojan continues attacking and receives various upgrades: more than 400 financial apps targeted

TeaBot malware is back at it again: downloaded at least 10 000 times.

The advanced RAT malware was yet again spotted to be actively spreading. This time not excluding the US users. The threat was discovered in Google Play Store, where the trojan posed as various applications and managed to infect 10,000 devices. The TeaBot malware poses as a QR code application and tricks people into allowing the malicious trojan on the machines.^[1] These tactics were already used back in January, and then Google outed these entries. Malware managed to find its way to this official Android app store yet again.^[2]

The Android banking trojan is created to steal credentials, SMS messages, and other valuable details. It is sneaking past the Google Play Store protections again and targets more than 400 banking, financial applications. These applications that are targeted are from China, the US, Russia, and developers all over the world.

TeaBot remote access trojan is capable of key-logging, account takeover, request live streaming of the screen. It is known as an example of on-device fraud.^[3] The infection was first noticed in May 2021 and received other names like Anatsa. It was always known as the threat camouflaging malicious functions by posing as the PDF document or QR code scanner app that can be easily downloaded via Google Play Store that is not a third-party source, but instead an official website.

Dropper applications deliver the second-stage payload

Online fraud applications act as droppers and can be submitted without malicious code, with minimal permissions requested. It is hard for Google reviewers to spot anything shady about the applications. Trojanized programs include the functionality that is promised on the store, so reviews on the Play Store can also be positive.

These malicious applications act as the conduit to deliver another payload of malware. This way the payload of the trojan is retrieved and infected devices can be controlled by threat actors. Various reports and analyses show that such droppers related to Anatsa could be found on the Play Store as early as June 2021.

The indication of the active malware comes from the research team^[4] that reported about QR Code reader- scanner app that received more than 100 000 downloads in a month before the takedown.^[5] This was identified as the TeaBot trojan lurking on the official Android app store. The latest version of the malware is also a QR code scanner and has been downloaded 10 000 times.

Functioning after the payload infiltration

The application acts as the tool that users downloaded it for, but then the app requires an update with a pop-up message. This way, the supposed update is triggered from a third-party source, and the procedure of upgrade installation is TeaBot loading instead. The new application is added, masking the banking trojan.

The new application asks for permission to use Accessibility Services, so the additional functions can be triggered. From there, Android trojan can view the screen of the device, take screenshots. two-factor authentication codes, SMS content, login credentials can be captured like this without the requirement of additional scripts. Also, malware can perform actions like automatic permission granting without users' interaction.

The threat samples found in January had the particular script that triggered the exit of the malware once the location of the United States got detected.^[5] This February version of TeaBot malware is targeting US users and aims at Russia, Slovakia, China. This is the global threat with global-scale operations. The malware now also has more features, stronger string obfuscation, and targets more banking, insurance, crypto wallet, crypto exchange applications.