Google Play Protect, Android's built-in protection against malware, is like a distracted bank security guard. It's supposed to keep the bad guys at bay, but every now and then, it drops the ball and put its users at risk.
In late February, the Cleafy Threat Intelligence and Incident Response team discovered a malware-infected Android app that attracted more than 10,000 downloads in the Google Play Store.
The app, masquerading as a QR Code & Barcode Scanner, was actually designed to infect devices with a trojan called TeaBot. Dun, dun, dun!
TeaBot, also known as Anatsa, is a malware program that spies on users' sensitive information and steal victims' credentials. As mentioned, a recent sample revealed that malevolent actors used a dropper app, an innocuous-looking QR Code & Barcode Scanner platform, to distribute TeaBot to unsuspecting users.
Interestingly, the QR Code & Barcode Scanner app appeared to be genuine; the reviews indicated that the platform is legitimate and functioned well. However, the app had sinister motives.
"Once downloaded, the dropper will request immediately an update through a popup message. Unlike legitimate apps that perform the updates through the official Google Play Store, the dropper application will request to download and install [TeaBot]," the Cleafy security team said.
After executing the faux "update," TeaBot will ask unwitting users for certain permissions, including the ability to view and control users' screens.
Once the target accepts these permissions, TeaBot will wreak havoc on the device, allowing hackers to take over the device and siphon sensitive credentials such as banking information, SMS messages, contact data, and more.
Fortunately, Cleafy informed Google about the malicious app. The search-engine tech giant removed the malware from the app store. It's no secret that Google Play Protect is inadequate. In 2021, AV-Test published a damning report revealing that Google Play Protect only detected two-thirds of the 20,000 malicious apps in its sample.
It's worth noting that the TeaBot variant the Cleafy security team discovered is a new one. It now targets crypto wallets and exchanges. On top of that, the original TeaBot only targeted about 60 apps; now it can infiltrate more than 400.
Cleafy's TeaBot discovery serves as a reminder that users must be careful with what they download in the Google Play Store. Many apps appear to be harmless, but they have ulterior motives.