The TeaBot banking malware was discovered in the Google Play Store once more, this time disguised as a QR code app and spreading to over 10,000 devices. It is a method that distributors of the malware employed in January. Despite Google’s removal of these entries, it appears that the malware may still get into the official Android app repository.
According to research by Cleafy, an online fraud management & prevention firm, these applications are operating as droppers. They are uploaded without dangerous code and with only the most basic permissions, making it difficult for Google’s reviewers to detect anything suspicious. Furthermore, the trojanized apps feature the advertised functionality, resulting in favorable customer evaluations on the Play Store.
Researchers discovered TeaBot in February as a program called ‘QR Code & Barcode – Scanner,’ which looks to be a genuine QR code scanning software. The application asks for an update through a popup message after installation. However, the update is fetched from an external source, countering the standard method set by the Play Store rules.
The download source was traced back to two GitHub repositories belonging to the same user (feleanicusor), each of which included several TeaBot samples and were posted on February 17, 2022. TeaBot is installed as a new app on the victim’s smartphone under the name ‘QR Code Scanner: Add-On’ if they accept the update from untrusted sources.
The new app starts up immediately and asks for permission to enable the Accessibility Services to do the following tasks:
- View the device’s screen and snap screenshots that show login credentials, 2FA codes, SMS content, etc.
- Perform activities in the background, such as auto-granting extra rights, without requiring user participation.
Although Google has made some security-minded API improvements to the Accessibility Service in Android 12, banking trojans continue to misuse this privilege the most. After all, most Android phones still run OS version 11 or earlier.