Skip to content

Android app caught delivering data-stealing trojan to thousands of people

  • by
  • 3 min read

Cybersecurity company Cleafy has found that a Play Store app downloaded over 10,000 times had a remote access trojan embedded, stealing users’ passwords, messages and other confidential data. 

The trojan goes by TeaBot or Anatsa and surfaced last May. At that time, the trojan was programmed to steal data from a predetermined list of about 60 banks worldwide. It uses streaming software and abuses Android’s accessibility services to allow the operator to see what’s going on the target’s screen and interact with whatever is being done. 

Cleafy’s report suggests that TeaBot is back, this time in an app named QR Code and Barcode Scanner. The app had been downloaded over 10,000 times on the Google Play Store before Cleafy reported it to Google for fraudulent activity, and it got removed. 

In the News: Russia faces massive tech sanctions as it continues threatening Ukraine

RATs getting smarter

The app doesn’t require a lot of permissions from the user straight away. The reviews on the download page also hint that the app is legitimate. However, the app would show a pop-up saying an update was available once downloaded.

Android app caught delivering data-stealing trojan to thousands of people
The TeaBot dropper found on the Play Store. | Source: Cleafy

This ‘update’ would be downloaded from two specific GitHub repositories instead of the Google Play Store. These repositories, created by the user ‘feleanicusor’, would, in turn, install TeaBot. 

To gain the permissions and access required, once the update was installed, the app would require the following two accessibility permissions from the user.

  • View and control screen: used for retrieving sensitive information such as login credentials, SMS, 2FA codes from the device’s screen.
  • View and perform actions: used for accepting different kinds of permissions, immediately after the installation phase, and for performing malicious actions on the infected device.
The GitHub repository used to deliver the trojan. | Source: Cleafy

Cleafy researchers also pointed out the massive increase in TeaBot infected apps. From May 2021, when the target list was restricted to 60, it has grown to over 400, including apps like banking, insurance and crypto-wallets. 

In the News: Nvidia confirms breach; says hackers are leaking “proprietary information”

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version