Google has removed a QR Code and Barcode Scanner app that steals users’ data from Google Play Store. A security firm named Cleafy notified Google of the malicious app and it was removed immediately, but not before being downloaded more than 10,000 times by users around the world.
Using a Trojan called TeaBot, the app targets mobile banking apps, insurance apps, crypto wallets, and crypto exchanges among others, Cleafy revealed. Within a year of being introduced to the Google Play Store, the malicious app’s targets rose from 60 to more than 400 and even supported new languages such as Russian, Slovak, and Mandarin Chinese on infected devices.
Introduced to Play Store in May 2021, the thieving app escaped detection for a long time – only two antimalware technologies caught it. Meanwhile, the malicious QR Code and Barcode Scanner requested a few permissions following a download, but it offered a pop-up notifying users that a new update was available.
Once users downloaded the “fake update” through the pop-up, the update occurs through two GitHub databases that install the TeaBot Trojan on users’ devices. The repositories were created by a GitHub user named feleanicusor. The update makes it possible for the app to steal users’ login details, text messages, and two-factor authentications from the device’s screen.
It does this through its view and control screen, as well as view and performs actions requested permissions.
“Once the users accept to download and execute the fake update, TeaBot will start its installation process by requesting the Accessibility Services permissions in order to obtain the privileges needed,” Cleafy stated. “View and control screen [is] used for retrieving sensitive information such as login credentials, SMS, 2FA codes from the device’s screen. View and perform actions [is] used for accepting different kinds of permissions, immediately after the installation phase, and for performing malicious actions on the infected device.”
Before resurfacing on Play Store as QR Code and Barcode Scanner, the Trojan was known as either TeaBot or Anatsa when it first came out in May 2021. Back then, it infiltrated streaming software so that its owners can take control of the screen of users for malicious purposes. It was also modified to target banking apps from about 60 banks globally.
Although Google has removed the app, another one may surface again to put users at risk unless Google raises the bar to identify malware before third-party security firms do.