An Android banking trojan designed to steal credentials and SMS messages has been observed bypassing Google Play Store protections to target users of more than 400 banking and finance apps from Russia, China and the United States. United States.

“TeaBot RAT’s capabilities are achieved through live streaming of the device’s screen (requested on demand) as well as abuse of accessibility services for remote interaction and keylogging” , Cleafy researchers said in a report. “This allows Threat Actors (TAs) to perform an ATO (Account Takeover) directly from the compromised phone, also known as ‘on-device fraud’.”

Also known as Anatsa, TeaBot first appeared in May 2021, disguising its malicious functions by posing as seemingly harmless PDF document and QR code scanner apps that are distributed through the Google Play Store official instead of third party app stores or via scam websites. .

These apps, also known as dropper apps, act as a conduit to deliver a second-stage payload that picks up the malware strain to take control of infected devices. In November 2021, Dutch security firm ThreatFabric revealed that it had identified six Anatsa droppers on the Play Store since June last year.

Earlier in January, Bitdefender researchers identified TeaBot lurking in the official Android app market as a “QR code reader – scanner app”, gaining over 100,000 downloads in the span of a month before its release. withdrawal.

The latest version of TeaBot dropper spotted by Cleafy on February 21, 2022 is also a QR code reader app named “QR Code & Barcode – Scanner” which has been downloaded about 10,000 times on the Play Store.

Once installed, the modus operandi is the same: prompting users to accept a fake add-on update, which, in turn, leads to the installation of a second app hosted on GitHub that actually contains the TeaBot malware. It should be noted, however, that users must allow installations from unknown sources for this attack chain to succeed.

The last phase of the infection involves the banking Trojan looking for permissions from accessibility services to capture sensitive information such as login credentials and two-factor authentication codes in an effort to take over the accounts to perform fraud on the device.

“In less than a year, the number of applications targeted by TeaBot has increased by more than 500%, from 60 targets to more than 400,” the researchers said, adding that the malware is now hitting multiple service-related apps. personal banking, insurance and crypto wallets. , and crypto exchanges.