Over 10,000 Google Play users have downloaded another malicious Android app stuffed with malware. Called QR Code & Barcode Scanner, the app also installed a remote access trojan (RAT), that let the attackers skim passwords, banking details, and other sensitive data.
Noticed by security researchers at Cleafy, the malicious app contains the TeaBot trojan. This nasty piece of software uses Android’s accessibility services to read the screen, then uses streaming software to send data to its controllers.
When it first came out, it was limited to watching a hard-coded list of around 60 banking apps. Now the attackers have expanded in scope, with over 400 applications on the watchlist. Those range from banking apps to crypto exchanges/wallets, and even digital insurance apps.
TeaBot was distributed inside a Google Play Store app called QR Code & Barcode Scanner. Google has pulled it from the Play Store at the time of writing, but over 10,000 people downloaded and installed it before that. If you have it on your device, delete it, and change all of your financial service passwords.
The malware managed to get onto the Play Store by not actually being inside the app, to begin with. Once installed, and opened, it would ask the user to install an update.
This wasn’t actually a Google Play Store update, but a download of code from two GitHub repositories. That code installed TeaBot, which then asked the user to give it more permissions.
It’s clear that Android malware makers have figured out how to sidestep any protections the Google Play Store has. There are a few things that users can do to keep safe, however.
Only install updates from inside the Google Play Store, and not inside the app. Be wary of any app asking for extended permissions at install time. Be extra wary of any app that asks for extended permissions at any time after installation.