The TeaBot malware has been found exploiting the Google Play Store for the second time as an attack vector to infect unaware users. Since last year, the malware has conducted several upgrades to its attack chain to expand its surface and infiltrate more targets.
Researchers discovered the trojan impersonating a QR code application on Google Play Store from previous reports, which infected approximately 10,000 devices.
It is not the first time the malware has propagated on the Play Store since the operators of TeaBot followed the same method in January. Unfortunately, even though the Google security team has removed the threat actors’ malicious app, they still discovered a way to reemerge on the application store.
The applications behave as droppers and submit them without malicious code by their threat actors. Then, the operators request minimal permissions from users, making Google’s reviewers not view the TeaBot app as a dangerous application.
The threat actors’ malicious apps also include helpful functionalities for users; that is why the app has numerous positive reviews on Google Play Store.
The TeaBot malware disguised itself as an official app called “QR Code & Barcode – Scanner”, a legitimate QR scanning application.
Upon installation, the app will request the user to update the app from an external source. The researchers traced the download source to two GitHub repositories.
Following this update request, the app reverts its name to “QR Code Scanner: Add-On.” This new application will then request permissions to Accessibility Services that Google Play Store security has not reviewed.
Once the app is successfully installed into the user’s device, it can easily access numerous malicious functionalities such as screenshot grabbing, viewing user screen, recording login credentials, SMS content, and 2FA codes. It can also Auto-grant permissions in the background without the consent and awareness of the device owner.
Researchers indicated that TeaBot currently targets Chinese, Russian, and US users.
The latest strategy conducted by TeaBot ensures that it bypasses the reviews implemented by the Play Store. Since it can spoof legitimate apps, ordinary AV solutions will not detect it.
This issue implies that the threat actors are working tirelessly to make their obfuscation method more prominent. Experts suggest not installing excess applications to remain protected against these threats if not fully necessary.