Cybersecurity company Cleafy has found that a Play Store app downloaded over 10,000 times had a remote access trojan embedded, stealing users’ passwords, messages and other confidential data.
The trojan goes by TeaBot or Anatsa and surfaced last May. At that time, the trojan was programmed to steal data from a predetermined list of about 60 banks worldwide. It uses streaming software and abuses Android’s accessibility services to allow the operator to see what’s going on the target’s screen and interact with whatever is being done.
Cleafy’s report suggests that TeaBot is back, this time in an app named QR Code and Barcode Scanner. The app had been downloaded over 10,000 times on the Google Play Store before Cleafy reported it to Google for fraudulent activity, and it got removed.
RATs getting smarter
The app doesn’t require a lot of permissions from the user straight away. The reviews on the download page also hint that the app is legitimate. However, the app would show a pop-up saying an update was available once downloaded.
This ‘update’ would be downloaded from two specific GitHub repositories instead of the Google Play Store. These repositories, created by the user ‘feleanicusor’, would, in turn, install TeaBot.
To gain the permissions and access required, once the update was installed, the app would require the following two accessibility permissions from the user.
- View and control screen: used for retrieving sensitive information such as login credentials, SMS, 2FA codes from the device’s screen.
- View and perform actions: used for accepting different kinds of permissions, immediately after the installation phase, and for performing malicious actions on the infected device.
Cleafy researchers also pointed out the massive increase in TeaBot infected apps. From May 2021, when the target list was restricted to 60, it has grown to over 400, including apps like banking, insurance and crypto-wallets.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.