TeaBot Malware Infiltrates Google Play Store Again

העלגאַ סמיטמאַרץ 11, 2022לעצטע דערהייַנטיקט: מאַרץ 12, 2022
19 1 מינוט לייענען

The TeaBot banking trojan was again found in the Google Play Store, where it posed as a QR code reader (QR Code & BarcodeScanner) and managed to spread to more than 10,000 devices. The malware targets users of more than 400 banking and financial applications, including those from Russia, כינע, and the United States.

According to a report from Cleafy, TeaBot-infected applications act as droppers. That is, they get to the Google Play Store without malicious code and request minimal permissions from the user, so that it is difficult for reviewers and Google’s automated checks to detect anything suspicious.

אין צוגאב, trojanized applications actually work, delivering the promised functionality, so the reviews about them are mostly positive.

TeaBot on the Google Play Store

פֿאַר בייַשפּיל, QR Code & Barcode – Scanner that was discovered in February, looked like a regular utility for scanning QR codes. אָבער, once installed, the app requested an update via a pop-up message, and instead of the standard procedure set by the Play Store rules, the update was downloaded from an external source.

The experts traced the source of these downloads to two GitHub repositories owned by the user feleanicusor and containing several samples of the TeaBot malware, uploaded on February 17, 2022.

TeaBot on the Google Play Store
Attack scheme

Once thisupdateis complete, TeaBot is downloaded to the victim’s device as a new QR Code Scanner: Add-On application. This application starts automatically and requests the rights to use Accessibility Services to perform the following functions:

  1. view the device screen and create screenshots that show login credentials, two-factor authentication codes, SMS content, און אזוי ווייטער;
  2. automatic granting of additional permissions to malware in the background, which does not require user intervention.

TeaBot on the Google Play Store

Interestingly, earlier versions of TeaBot, discovered in January 2021 and studied by ביטדעפענדער, exited if they detected that the victim was in the United States. Now TeaBot also attacks users from the United States, and also received support for Russian, Slovak and Chinese languages, דאס איז, the malware attacks any users without making exceptions.

אויך, compared to samples from early 2021, the malware is now more obfuscated, and the number of its target applications has increased by 500% – from 60 צו 400. These include banking and insurance applications, as well as cryptocurrency wallets and exchange solutions cryptocurrencies.

לאמיך אייך דערמאנען, אז מיר האבן דאס אויך געשריבן Experts discovered Xenomorph malware in the Google Play Store, and that AbstractEmu Android malware “roots” smartphones and evades detection.

טאַגס
העלגאַ סמיטמאַרץ 11, 2022לעצטע דערהייַנטיקט: מאַרץ 12, 2022
19 1 מינוט לייענען

העלגאַ סמיט

איך בין שטענדיק אינטערעסירט אין קאָמפּיוטער וויסנשאַפֿט, ספּעציעל דאַטן זיכערהייט און די טעמע, וואס הייסט היינט-צו-טאג "דאַטן וויסנשאַפֿט", זינט מיין פרי טינז. איידער איר קומען אין די ווירוס באַזייַטיקונג מאַנשאַפֿט ווי רעדאַקטאָר-אין-ראשי, איך געארבעט ווי אַ סייבערסעקוריטי מומחה אין עטלעכע קאָמפּאַניעס, אַרייַנגערעכנט איינער פון אַמאַזאָן ס קאָנטראַקטאָרס. אן אנדער דערפאַרונג: איך האָבן געלערנט אין Arden און רידינג אוניווערסיטעטן.

לאָזן אַ ענטפער

דער פּלאַץ ניצט Akismet צו רעדוצירן ספּאַם. לערנען ווי דיין באַמערקונג דאַטן זענען פּראַסעסט.

צוריק צו שפּיץ קנעפּל