TeaBot Trojan Haunts Google Play Store, Again

Malicious Google Play apps have circumvented censorship by hiding trojans in software updates.

The TeaBot banking trojan – also known as “Anatsa” – has been spotted on the Google Play store, researchers from Cleafy have discovered.

The malware – designed to intercept SMS messages and login credentials from unwitting users – affected users of “more than 400 banking and financial apps, including those from Russia, China, and the U.S,” its report claims.

This isn’t the first time TeaBot has terrorized Android users.

Infosec Insiders Newsletter

TeaBot Just Won’t Die

TeaBot was first discovered last year. It’s a relatively straightforward malware designed to siphon banking, contact, SMS and other types of private data from infected devices. What makes it unique – what gives it such staying power – is the clever means by which it spreads.

TeaBot requires no malicious email or text message, no fraudulent website or third-party service. Instead, it typically comes packaged in a dropper application. Droppers are programs that seem legitimate from the outside, but in fact act as vehicles to deliver a second-stage malicious payload.

TeaBot droppers have masked themselves as ordinary QR code or PDF readers. Hank Schless, senior manager of security solutions at Lookout, explained via email that attackers “usually stick to utility apps like QR code scanners, flashlights, photo filters, or PDF scanners because these are apps that people download out of necessity and likely won’t put as much time into looking at reviews that might impact their decision to download.”

This tactic appears to be effective. In January, an app called QR Code Reader – Scanner App was distributing 17 different Teabot variants for a little over a month. It managed to pull in more than 100,000 downloads by the time it was discovered.

Other TeaBot droppers – discovered by Dutch security firm ThreatFabric last November – have been packaged under many names, such as QR Scanner 2021, PDF Document Scanner and CryptoTracker. The latest, according to security firm Cleafy, was QR Code & Barcode – Scanner.

Why Can’t TeaBot Be Stopped?

App stores have policies and protections aimed at combating malware. Google Play Protect, for example, helps root out malicious apps before they’re installed and scans for evidence of misdoing on a daily basis.

However, TeaBot droppers aren’t obviously malicious. They might seem perfectly uninteresting, at least on the surface.

Once a user opens one of these nondescript apps, they’re prompted to download a software update. The update is, in fact, a second app containing a malicious payload.

If the user gives their app permission to install software from an unknown source, the infection process begins. Like other Android malware, the TeaBot malware attempts to leverage Accessibility Services. Such attacks use an advanced remote access feature that abuses the TeamViewer application – a remote access and desktop sharing tool – giving the bad actor behind the malware remote control over the victim’s devices.

The ultimate goal of these attacks is to retrieve sensitive information such as login credentials, SMS and 2FA codes from the device’s screen, as well as to perform malicious actions on the device, the report said.

Here’s How TeaBot Can Be Stopped

TeaBot attacks have grown fast. As Cleafy notes, “In less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400.”

What can be done to stop them?

“Real-time scanning of app downloads – even if the app doesn’t originate from Google Play – would help to mitigate this issue,” Shawn Smith, director of infrastructure at nVisium, told Threatpost on Wednesday via email, adding that “additional warning messages when installing app add-ons that aren’t on Google Play could be useful, too.”

Leo Pate, managing consultant at nVisium, also told Threatpost via email on Wednesday that “Google could be implementing checks on permissive permissions for applications to run, obtaining lists of specific hardcoded public IPs and domain names. Then, [Google could run] them through various sources to see if they’re ‘bad.'”

Until app stores have fixed the problem with droppers, users will have to remain alert, Schless noted. “Everyone knows that they should have antivirus and anti-malware apps on their computers, and our mobile devices shouldn’t be treated any differently.”

Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.

Suggested articles