Every so often, an app gets on Google Play that manages to trick users into downloading malware. That’s exactly what happened with a recent app that installed a remote access trojan that swiped passwords, text messages, and other personal data.
The trojan is called either TeaBot or Anatsa and it first started appearing in May 2021. It lets the malicious individual remotely view the screens of infected devices and interact with operations carried out by the device’s owner.
As reported by security firm Cleafy, the TeaBot malware is back in an Android app called QR Code & Barcode Scanner. The researchers informed Google of the malicious application and the app was removed from Google Play. However, it was already downloaded more than 10,000 times before it was pulled. If you have this app on your phone, delete it immediately.
“TeaBot RAT capabilities are achieved via the device screen’s live streaming (requested on-demand) plus the abuse of Accessibility Services for remote interaction and key-logging. This enables Threat Actors (TAs) to perform ATO (Account Takeover) directly from the compromised phone, also known as ‘On-device fraud’,” said Cleafy’s report.
Once the app is installed, it’ll immediately request an update through an outside service, which is where it installs the malware and what allows it to get around Google Play’s security.
The new version of the trojan can target home banking applications, insurances applications, crypto wallets, and crypto exchanges. The original incarnation could target approximately 60 apps and now it can get more than 400.
This is a scary RAT malware and serves as a reminder to be careful what you install on your phone.