Criminals have managed to successfully hide a banking Trojan on the Google Play Store, possibly infecting thousands of devices in an attempt to steal identities and two-factor authentication codes.
A new report from security firm Cleafy found thatTeaBot banking trojan, sometimes referred to as Anatsa, or Toddler, was being distributed as a second-stage payload from a seemingly legitimate app.
The team found it was being distributed as an update to a non-malicious, fully functioning app called “QR Code & Barcode – Scanner”. The app works as intended – scans barcodes and QR codes properly, and as such, has received numerous positive reviews on the Play Store.
Delivering the payload
However, as soon as it’s installed, it requests permission to download a second application, called “QR Code Scanner: Add-On” which, according to the publication, includes “multiple TeaBot samples”.
The app has had more than 10,000 downloads before being discovered for what it truly was, and being removed from the app store.
When a victim downloads the “add-on”, TeaBot will ask for permissions to view and control the endpoint’s screen, and if granted – will use the power to pull login credentials, SMS messages, or two-factor authentication codes. It also gains access to record keystrokes, by abusing Android accessibility services.
“Since the dropper application distributed on the official Google Play Store requests only a few permissions and the malicious app is downloaded at a later time, it is able to get confused among legitimate applications and it is almost undetectable by common antivirus solutions,” Cleafy said.
While Google did not comment on the findings, it did remove the app from the store.
TeaBot was first spotted in May last year, when it targeted European banks by stealing two-factor codes sent via SMS. This time around, Cleafy says, it targets users in Russia, Hong Kong, and the US.
Via: TechCrunch
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba