Malicious Google Play apps have circumvented censorship by hiding trojans in software updates.
The TeaBot banking trojan – also known as Anatsa – has been spotted on the Google Play store, researchers from Cleafy have discovered.
The malware – designed to intercept SMS messages and login credentials from unwitting users – affected users of more than 400 banking and financial apps, including those from Russia, China, and the U.S, its report claims. It was not the first time TeaBot has terrorized Android users.

TeaBot Just Won’t Die.
Cleafy discovered the trojan disguised as a QR code app on Google Play Store, which has already spread to more than 10,000 devices. This is not the first time that the TeaBot has propagated via the Play Store. The operators followed the same trick in January. While all malicious applications were removed by Google, the TeaBot found its way back.

TeaBot was first discovered last year. It is a relatively straightforward malware designed to siphon banking, contact, SMS, and other types of private data from infected devices. What makes it unique – what gives it such staying power – is the clever means by which it spreads.
TeaBot requires no malicious email or text message, no fraudulent website, or third-party service. Instead, it typically comes packaged in a dropper application. Droppers are programs that seem legitimate from the outside, but in fact, act as vehicles to deliver a second-stage malicious payload.
TeaBot droppers have masked themselves as ordinary QR code or PDF readers. Hank Schless, senior manager of security solutions at Lookout, explained via email that attackers usually stick to utility applications like QR code scanners, flashlights, photo filters, or PDF scanners. Because these are the applications that people download out of necessity and likely would not put as much time into looking at reviews, that might impact their decision to download.
This tactic appears to be effective. In January, an app called QR Code Reader – Scanner App was distributing 17 different Teabot variants for a little over a month. It managed to pull in more than 100,000 downloads by the time it was discovered.
Other TeaBot droppers – discovered by Dutch security firm ThreatFabric last November – have been packaged under many names, such as QR Scanner 2021, PDF Document Scanner, and CryptoTracker. The latest, according to security firm Cleafy, was QR Code & Barcode – Scanner.
Why TeaBot Cannot Be Stopped?
App stores have policies and protections aimed at combating malware. Google Play Protect, for example, helps root out malicious apps before they are installed and scans for evidence of misdoing on a daily basis. However, TeaBot droppers are not malicious. They might seem perfectly uninteresting, at least on the surface. Once a user opens one of these nondescript apps, they are prompted to download a software update. The update is a second app containing a malicious payload.
If the user gives their app permission to install software from an unknown source, the infection process begins. Like other Android malware, the TeaBot malware attempts to leverage Accessibility Services. Such attacks use an advanced remote access feature that abuses the TeamViewer application – remote access and desktop sharing tool – giving the bad actor behind the malware remote control over the victims’ devices.
The ultimate goal of these attacks is to retrieve sensitive information such as login credentials, SMS, and 2FA codes from the device’s screen, to perform malicious actions on the device, the report said.
How TeaBot Can Be Stopped
TeaBot attacks have grown fast. As Cleafy notes, “In less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400.”
What can be done to stop them?
Real-time scanning of application downloads even, if the app does not originate from Google Play – would help to mitigate this issue, Shawn Smith, director of the infrastructure at nVisium, told Threatpost on Wednesday via email. Adding to this additional warning messages when installing app add-ons that are not on Google Play could be useful.
Leo Pate, the managing consultant at nVisium, also told Threatpost via email on Wednesday that “Google could be implementing checks on permissive permissions for applications to run, obtaining lists of specific hardcoded public IPs and domain names. Then, [Google could run] them through various sources to see, if they are bad.
Until app stores have fixed the problem with droppers, users will have to remain alert, Schless noted. Everyone knows that they should have antivirus and anti-malware apps on their computers, and mobile devices should not be treated any differently.