Google Play app downloaded more than 10,000 times contained data-stealing RAT

A malicious app downloaded from Google Play more than 10,000 times surreptitiously put in a distant entry trojan that stole customers passwords, textual content messages, and different confidential information, a safety agency reported.

The trojan, which fits beneath the names TeaBot and Anatsa, got here to gentle last May. It used streaming software program and abused Androids accessibility providers in a means that allowed the malware creators to remotely view the screens of contaminated gadgets and work together with the operations the gadgets carried out. At the time, TeaBot was programmed to steal information from a predefined listing of apps from about 60 banks all over the world.

On Tuesday, safety agency Cleafy reported that TeaBot was again. This time, the trojan unfold by way of a malicious app known as QR Code & Barcode Scanner, which because the identify urged, allowed customers to work together with QR codes and barcodes. The app had more than 10,000 installs earlier than Cleafy researchers notified Google of the fraudulent exercise and Google eliminated it.

One of the most important distinction[s]in comparison with the samples found throughout… May 2021, is the rise of focused purposes which now embrace house banking apps, insurances apps, crypto wallets, and crypto exchanges, Cleafy researchers wrote. In much less than a yr, the variety of purposes focused by TeaBot have grown more than 500%, going from 60 targets to over 400.

In latest months, TeaBot additionally began supporting new languages ‚Äč‚Äčtogether with Russian, Slovak, and Mandarin Chinese to show customized messages on contaminated telephones. The fraudulent scanner app distributed on Play was detected as malicious by solely two antimalware providers, and it requested just a few permissions on the time it was downloaded. All the critiques portrayed the app as reliable and well-functioning, making TeaBot tougher for much less skilled folks to acknowledge as a threat.

Once put in, the malicious QR Code & Barcode Scanner app displayed a pop-up informing customers that an replace was accessible. But moderately than making the replace accessible by way of Play as is regular, the pop-up downloaded it from two particular GitHub repositories created by a consumer named feleanicusor. The two repositories, in flip, put in TeaBot.

This graph provides an summary of the an infection chain developed by the TeaBot authors:


Cleafy researchers wrote:

Once the customers settle for to obtain and execute the faux replace, TeaBot will begin its set up course of by requesting the Accessibility Services permissions to be able to receive the privileges wanted:

  • View and management display: used for retrieving delicate data comparable to login credentials, SMS, 2FA codes from the gadgets display.
  • View and carry out actions: used for accepting completely different sorts of permissions, instantly after the set up part, and for performing malicious actions on the contaminated system.


TeaBot is simply the most recent piece of Android malware to be unfold by way of Googles official app market. The firm is mostly fast to take away malicious apps as soon as theyre reported, however it continues to wrestle to determine malware by itself. Google representatives didnt reply to an e mail in search of remark for this publish.

Tuesday’s publish from Cleafy has a listing of indicators that individuals can use to find out in the event that they put in the malicious app.

Listing picture by Getty Images


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button