An Android banking trojan designed to steal user data such as passwords and text messages, has been discovered in Google Play and downloaded thousands of times.
The “TeaBot” banking trojan, also known as “Anatsa” and “Toddler,” was first observed in May 2021 targeting European banks by stealing two-factor authentication codes sent by text message.
A new report from Cleafy, an online fraud management and prevention solution company, now says the malware has evolved to include distribution via a second-stage malicious payload, and is now targeting users in Russia, Hong Kong and the United States.
Cleafy says that while the malware was previously distributed through SMS-based phishing campaigns using common apps as lures, its researchers say the malicious Google Play app was acting as a “dropper” to deliver TeaBot by way of a fake in-app update.
Droppers are apps that appear legitimate, but in fact deliver a second-stage malicious payload.
TeaBot has reportedly been downloaded more than 10,000 times before it was discovered in the Google Play app.
Once installed, TeaBot asks for permissions to view and control the device’s screen to retrieve sensitive information such as login credentials, SMS messages and two-factor codes. It also abuses Android’s accessibility service, similar to other malicious Android apps, to request permissions that allow the malware to record keyboard entries.
Cleafy says TeaBot is now targeting over 400 applications, including home banking apps, insurance apps, cryptocurrency wallets and cryptocurrency exchanges, an increase of more than 500% in less than a year.
