TeaBot Spreads via Google Play, Again!

What’s going on?

• Cleafy discovered the trojan disguised as a QR code app on Google Play Store, which has already spread to more than 10,000 devices. 
• This is not the first time that TeaBot has propagated via the Play Store. The operators followed the same trick in January and while all malicious apps were removed by Google, the bot found its way back. 
• The apps are acting as droppers and are submitted without malicious code. Moreover, they request minimal permissions from users, making it challenging for Google’s reviewers to find them dubious.
• The malicious apps, in addition, include promised functionality - leading to positive reviews on the Play Store. 

Modus operandi

• TeaBot posed as an app, dubbed QR Code & Barcode - Scanner, which is a legit QR scanning app. 
• However, upon installation, it asks users to update the app from an external source. The download source was traced back to two GitHub repositories.
• Following this upgrade, the app changes its name to QR Code Scanner: Add-On. This new app requests permissions to Accessibility Services. 

New app functionality

• Grab screenshots, view user screen, and capture login credentials, 2FA, and SMS content.
• Auto-grant permissions in the background without any user knowledge. 
• TeaBot is actively targeting users in the U.S., Russia, and China. 

The bottom line