Skip to main content

Don't download this malicious Android app! It lets hackers spy on your bank info, crypto and texts

Android malware TeaBot masquerading as a QR Code and Barcode Scanner app
Android malware TeaBot masquerading as a QR Code and Barcode Scanner app (Image credit: Cleafy Labs)

Google Play Protect, Android's built-in protection against malware, is like a distracted bank security guard. It's supposed to keep the bad guys at bay, but every now and then, it drops the ball and put its users at risk. 

In late February, the Cleafy Threat Intelligence and Incident Response team discovered a malware-infected Android app that attracted more than 10,000 downloads in the Google Play Store.

The app, masquerading as a QR Code & Barcode Scanner, was actually designed to infect devices with a trojan called TeaBot. Dun, dun, dun!

Android malware teabot

QR Code app with ulterior motives (Image credit: Cleafy Labs)

TeaBot, also known as Anatsa, is a malware program that spies on users' sensitive information and steal victims' credentials. As mentioned, a recent sample revealed that malevolent actors used a dropper app, an innocuous-looking QR Code & Barcode Scanner platform, to distribute TeaBot to unsuspecting users.

Interestingly, the QR Code & Barcode Scanner app appeared to be genuine; the reviews indicated that the platform is legitimate and functioned well. However, the app had sinister motives.

"Once downloaded, the dropper will request immediately an update through a popup message. Unlike legitimate apps that perform the updates through the official Google Play Store, the dropper application will request to download and install [TeaBot]," the Cleafy security team said.

After executing the faux "update," TeaBot will ask unwitting users for certain permissions, including the ability to view and control users' screens.

Cleafy Labs

TeaBot luring users to give up permissions (Image credit: Cleafy Labs)

Once the target accepts these permissions, TeaBot will wreak havoc on the device, allowing hackers to take over the device and siphon sensitive credentials such as banking information, SMS messages, contact data, and more.

Fortunately, Cleafy informed Google about the malicious app. The search-engine tech giant removed the malware from the app store. It's no secret that Google Play Protect is inadequate. In 2021, AV-Test published a damning report revealing that Google Play Protect only detected two-thirds of the 20,000 malicious apps in its sample.

It's worth noting that the TeaBot variant the Cleafy security team discovered is a new one. It now targets crypto wallets and exchanges. On top of that, the original TeaBot only targeted about 60 apps; now it can infiltrate more than 400.

Cleafy's TeaBot discovery serves as a reminder that users must be careful with what they download in the Google Play Store. Many apps appear to be harmless, but they have ulterior motives.

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!