Insidious TeaBot banking trojan targets hundreds of financial apps

Remote accesstrojans, or RATs, can wreak havoc on your finances. Attackers come at you from every digital direction and the malware they cook up is often insidious in its adaptability. Android banking trojan TeaBot, which has been around since 2021, originally tried to lure users via “smishing,” or fake SMS messages from innocent-looking services embedded with malicious links. Unfortunately, it hasn’t been fully vanquished, as this year it acquired new methods for creeping onto your phone.

Cybersecurity experts with Cleafy recently publisheda new reporton TeaBot that should put any Android user on guard. The team found that there’s been a big jump in the number of TeaBot targets — at least 400 apps used for banking, cryptocurrency transactions, and digital insurance — and the malware has begun targeting victims in Russia, Hong Kong, and the United States.

4

TeaBot operates using “on-device fraud,” manipulating accessibility services and the infected device’s live-streaming ability in a way that permits attackers to remotely interact with phones and monitor them via key-logging. One of its latest known incarnations emerged via a QR code app on the Play Store, functioning as a poison pill-like dropper for the malware.

Users stumbling across the listing probably thought they were downloading a legit-looking QR Code & Barcode Scanner. When it first hits your phone, itisharmless, and even does its intended job — that’s how attackers sneak it into the store. As you can see above, this scanner app wasat least10,000 installations strong and reviews for it revealed no red flags. Unfortunately, this is like buying a perfectly functional alarm clock that tricks you into loading it with a bomb.

Samsung Notes logo in front of image containing S Pen and devices using Samsung Notes

Upon download, the app issues a popup requesting you install an add-on. While that’s not a red flag in and of itself, innocent apps typically install such software via theGoogle Play Store, while this one tries to trick you into a sideload. A redirection like that can signal the likely presence of a trojan dropper, and here the add-on contains TeaBot.

Once in, the malware goes to work, accessing permissions for your phone’s accessibility services, which lets it seize control of your screen. It can then record fun stuff like logins, SMS, and two-factor authentication codes. This extra-sneaky 2022 incarnation of the RAT picks up new language capabilities (Russian, Mandarin Chinese) to go along with its newly-targeted countries, and can sometimes evade conventional detection by standard anti-malware apps.

Google Home icon with some gadgets around it.

If you have this app installed, which was listed as a product of “QR Barcode Scanner Bussiness [sic] LLC,” delete it immediately to avoid strangers buying who-knows-what on your dime (and honestly, maybe think about a full factory wipe). While the exact QR Code app seen in Cleafy’s screengrab appears to have been removed from the Play Store, it’s a reasonable bet that any app that immediately asks you to install something via unknown sources might be suspect.

This article is sponsored by Total Wireless.

Google Messages

It helped me wind down before bed

What’s new? A lot

Article image

It’s time to sniff out the culprit

An advanced, compact, purpose-built device

Stop me if you’ve heard this one before