It is reported that thousands of Android banking Trojans are being downloaded from Google Play Store steals data from users like passwords and text messages. Anatsa and toddler are also named for the Teabot banking trojan, which began attacking European banks in May 2021 by stealing two-factor authentication codes sent to mobile phones. Clifi reported that the malware has evolved to deliver malicious payloads via a secondary distribution method and is now targeting Russian, Hong Kong, and American users.
The app is experiencing this issue
Previously, the malware was spread through SMS-based phishing techniques utilizing apps such as TTV, VLC media player and shipping apps DHL and UPS, but now it’s spread through malicious Google Play apps. Dropper for allowing Teabot to send fake in-app updates. Droppers are apps that look legitimate, but deliver malicious code in a second stage.
Victims are being created
By the time it was discovered, “QR Code & Barcode – Scanner” had amassed over 10,000 downloads. Because the app delivers the promised functionality, almost all reviews for the app have been positive. Appearing legitimate, the application asks for permission to download another application, QR Code Scanner: Add-on, which contains several Teabot samples.
In order to gather personal information, such as login information, SMS messages, and two-factor codes, Teabot asks permission to view and control the device’s screen upon installation. The app, like other malicious Android apps, also abuses Android’s accessibility service to request permission to record keyboard input.
There are over 400 apps targeted
CliFi says Teabot is now being used by more than 400 apps, including home banking apps, insurance apps, and crypto-wallets and crypto exchanges, which amounts to a 500% increase over the past year alone.