May 27, 2022


Future Technology

Google Play app downloaded more than 10,000 times contained data-stealing RAT

Extreme close-up photograph of a Google Play giftcard.

A malicious app downloaded from Google Perform far more than 10,000 situations surreptitiously put in a remote entry trojan that stole users’ passwords, textual content messages, and other confidential facts, a security agency reported.

The trojan, which goes under the names TeaBot and Anatsa, came to light-weight final Might. It utilised streaming software package and abused Android’s accessibility services in a way that authorized the malware creators to remotely look at the screens of contaminated gadgets and interact with the functions the gadgets carried out. At the time, TeaBot was programmed to steal information from a predefined listing of apps from about 60 banking companies all over the earth.

On Tuesday, security company Cleafy documented that TeaBot was back again. This time, the trojan distribute by way of a malicious app referred to as QR Code & Barcode Scanner, which as the title recommended, authorized consumers to interact with QR codes and barcodes. The app had extra than 10,000 installations prior to Cleafy scientists notified Google of the fraudulent activity and Google removed it.

“One of the most significant change[s], as opposed to the samples found out in the course of… May well 2021, is the boost of qualified programs which now consist of dwelling banking applications, insurances apps, crypto wallets, and crypto exchanges,” Cleafy researchers wrote. “In significantly less than a calendar year, the range of apps targeted by TeaBot have developed far more than 500%, heading from 60 targets to about 400.”

In recent months, TeaBot also started out supporting new languages which include Russian, Slovak, and Mandarin Chinese to show personalized messages on contaminated telephones. The fraudulent scanner app distributed on Play was detected as destructive by only two antimalware companies, and it asked for only a several permissions at the time it was downloaded. All the evaluations portrayed the app as reputable and perfectly-operating, producing TeaBot more durable for less skilled people today to identify as a hazard.

After installed, the destructive QR Code & Barcode Scanner application exhibited a pop-up informing end users that an update was offered. But somewhat than producing the update readily available by way of Engage in as is usual, the pop-up downloaded it from two particular GitHub repositories established by a person named feleanicusor. The two repositories, in convert, mounted TeaBot.

This graph gives an overview of the an infection chain developed by the TeaBot authors:


Cleafy scientists wrote:

When the end users acknowledge to down load and execute the pretend “update”, TeaBot will commence its installation method by requesting the Accessibility Providers permissions in purchase to acquire the privileges needed:

  • Look at and command screen: utilised for retrieving delicate information and facts such as login credentials, SMS, 2FA codes from the device’s screen.
  • Look at and perform steps: applied for accepting various types of permissions, quickly after the set up section, and for carrying out malicious steps on the infected device.


TeaBot is only the hottest piece of Android malware to be spread through Google’s official app market place. The firm is usually speedy to get rid of destructive apps as soon as they are claimed, but it carries on to wrestle to determine malware on its have. Google reps did not answer to an e mail trying to get remark for this post.

Tuesday’s put up from Cleafy has a checklist of indicators that persons can use to ascertain if they installed the malicious application.

Listing image by Getty Images

Supply backlink