Skip to content

Google Play app downloaded more than 10,000 times contained RAT for stealing data

    Extreme close-up photo of a Google Play gift card.

    A malicious app downloaded more than 10,000 times from Google Play covertly installed a remote access trojan that stole user passwords, text messages and other confidential data, a security company reported.

    The trojan, which goes by the names TeaBot and Anatsa, came to light last May. It used streaming software and abused Android’s accessibility services in a way that allowed the malware creators to remotely view the screens of infected devices and interact with the operations the devices were performing. At the time, TeaBot was programmed to steal data from a predefined list of apps from about 60 banks around the world.

    On Tuesday, security firm Cleafy reported that TeaBot was back. This time, the trojan spread through a malicious app called QR Code & Barcode Scanner, which, as the name suggests, allowed users to interact with QR codes and barcodes. The app had more than 10,000 installs before Cleafy researchers notified Google of the fraudulent activity and Google removed it.

    “One of the biggest differences[s]compared to the samples discovered during … May 2021, the increase in targeted applications now includes: home banking applications, insurance applications, crypto wallets and crypto exchangesCleafy researchers wrote. “In less than a year, the number of applications targeted by TeaBot has grown by more than 500%, from 60 targets to more than 400.”

    In recent months, TeaBot has also started supporting new languages ​​including Russian, Slovak and Mandarin Chinese to display custom messages on infected phones. The rogue scanner app distributed on Play was detected as malicious by only two antimalware services and only requested a few permissions when it was downloaded. All reviews painted the app as legit and well-functioning, making TeaBot harder for less experienced people to spot as a risk.

    Once installed, the malicious QR Code & Barcode Scanner app displayed a popup informing users that an update is available. But instead of making the update available through Play as normal, the popup downloaded it from two specific GitHub repositories created by a user named feleanicusor. The two repositories in turn installed TeaBot.

    This chart summarizes the infection chain developed by the TeaBot authors:

    Cleafy

    Cleafy researchers wrote:

    Once the users agree to download and run the fake “update”, TeaBot will initiate the installation process by requesting the Accessibility Services permissions to obtain the necessary privileges:

    • View and operate screen: used for retrieving sensitive information such as login details, SMS, 2FA codes from the device’s screen.
    • View and perform actions: used for accepting various types of permissions immediately after the installation phase, and for performing malicious actions on the infected device.

    Cleafy

    TeaBot is just the latest piece of Android malware distributed through Google’s official app marketplace. The company is generally quick to remove malicious apps once they are reported, but it continues to struggle to identify malware on its own. Google representatives did not respond to an email requesting comments for this post.

    Tuesday’s post from Cleafy contains a list of indicators that people can use to determine if they have installed the malicious app.

    List image by Getty Images