A dangerous Android bank malware which steals victim’s credentials and SMS messages have been downloaded thousands of times via Google Play Storewarned researchers.
Called “TeaBot”, it is an Android banking Trojan that first appeared in early 2021 and is designed to steal victims’ text messages.
Initially, TeaBot was distributed through smishing campaigns using a predefined list of decoys, such as TeaTV, VLC Media Player, DHL and UPS and others, according to the online fraud prevention and management solution provider. Cleafy.
“Over the past few months, we have detected a significant increase in targets which now number over 400 applications, including banks, crypto exchanges/wallets and digital insurance, and new countries such as Russia, Hong Kong and the United States,” the researchers informed.
Over the past few months, TeaBot has also started supporting new languages, such as Russian, Slovak, and Mandarin Chinese, useful for displaying custom messages during installation phases.
On February 21, the Cleafy Threat Intelligence and Incident Response (TIR) team discovered an application posted on the official website google play storewhich acted as a dropper app delivering TeaBot with a fake update procedure.
“The dropper sits behind a common QR Code & Barcode Scanner and it has been downloaded over 10,000 times. All reviews show the app as legit and working well,” the team noted.
However, once downloaded, the dropper will ask for an update immediately via a popup message.
Unlike legitimate apps that update through the official Google Play Store, the app dropper will ask to download and install a second app.
This application has been detected as TeaBot.
TeaBot, masquerading as “QR Code Scanner: Add-On”, is downloaded from two specific GitHub repositories.
Once users agree to download and run the fake “update”, TeaBot will initiate its installation process by requesting permissions from “Accessibility Services” in order to obtain the necessary privileges.
One of the biggest differences, compared to the samples discovered in May 2021, is the increase in targeted apps which now include home banking apps, insurance apps, crypto wallets, and crypto exchanges.
“In less than a year, the number of applications targeted by TeaBot has increased by more than 500%, from 60 targets to over 400,” the team said.
Google Play has yet to comment on the report.