This time we revisit the Google Play Store for the delivery method, but with a new payload tracked as TeaBot and Anatsa. Although not entirely new (if has been watched since May 2021) the malware has some sophisticated features that allow it to perform the usual gamut of tasks such as credential stealing, SMS capture, account takeover, remote screen monitoring, you know the drill. It accomplishes this via the highly targeted Accessibility Services and the live screen streaming option available on most android devices.
One of the most common methods of getting past the Google Checks is to leverage the use of in-app purchases and the hide the controls under the guise of accessibility. The malware developer will build an app that can deliver a 2nd stage payload, but also that has the legitimate right to access the Accessibility Services as well. Google has been fighting the abuse of these controls for some time but have not found the magic spot between allowing them for legitimate purposes and leaving them open to attack. It has made them a popular target for threat actors.
In the case of Teabot it seems they like to use apps that pose as QR Code scanners. This makes sense as those apps already have a decent number of permissions and seeing Accessibility Services options would not be too much of a stretch. Security Researchers have identified multiple apps that have popped up with Teabot’s fingerprints on them. One in January had 100,000 downloads before it was taken down, while the most recent hit 10,000 downloads. The Trojan is not just after your typical banks either. Versions of Teabot that target Crypto wallets and exchange apps have also been discovered as the malware developers to more than 400 different financial institutions.
It is clear from the numbers that people are still downloading these poisoned apps and the protections that Google and others have in place are not working as they are intended. There are some fundamental changes that need to happen in mobile security, and soon. There also needs to be a fundamental change in the way that users view apps and their mobile devices. They should not be assuming that just because something is on the official apps store (regardless of who hosts it) it is not malicious. Anti-malware services also need an overhaul. Simple scanning an app for a signature match is just as ineffective in the mobile world as it is in the desktop world. There needs to be an effort put to extend behavior-based detections to the consumer market to help remove these pivots. Banking malware is not going anywhere as it is simply too easy given the current environment. We can only hope things change and soon.