DecryptedTech

Thursday11 August 2022

More Banking Malware Slips by the Protections in the Google Play Store, Meet TeaBot


Reading time is around minutes.

Banking malware for mobile devices is on the rise thanks to the ubiquitous use of mobile apps for personal financial tracking and transactions. This move was almost certain to attract threat actors like a moth to a porchlight. When given the gloriously poor state of mobile anti-malware and protection it is no wonder there are so many flavors of this popping up. What is even more disappointing, is the fact that we are seeing the malware packages pushed out through legitimate app stores.

This time we revisit the Google Play Store for the delivery method, but with a new payload tracked as TeaBot and Anatsa. Although not entirely new (if has been watched since May 2021) the malware has some sophisticated features that allow it to perform the usual gamut of tasks such as credential stealing, SMS capture, account takeover, remote screen monitoring, you know the drill. It accomplishes this via the highly targeted Accessibility Services and the live screen streaming option available on most android devices.

One of the most common methods of getting past the Google Checks is to leverage the use of in-app purchases and the hide the controls under the guise of accessibility. The malware developer will build an app that can deliver a 2nd stage payload, but also that has the legitimate right to access the Accessibility Services as well. Google has been fighting the abuse of these controls for some time but have not found the magic spot between allowing them for legitimate purposes and leaving them open to attack. It has made them a popular target for threat actors.

In the case of Teabot it seems they like to use apps that pose as QR Code scanners. This makes sense as those apps already have a decent number of permissions and seeing Accessibility Services options would not be too much of a stretch. Security Researchers have identified multiple apps that have popped up with Teabot’s fingerprints on them. One in January had 100,000 downloads before it was taken down, while the most recent hit 10,000 downloads. The Trojan is not just after your typical banks either. Versions of Teabot that target Crypto wallets and exchange apps have also been discovered as the malware developers to more than 400 different financial institutions.

It is clear from the numbers that people are still downloading these poisoned apps and the protections that Google and others have in place are not working as they are intended. There are some fundamental changes that need to happen in mobile security, and soon. There also needs to be a fundamental change in the way that users view apps and their mobile devices. They should not be assuming that just because something is on the official apps store (regardless of who hosts it) it is not malicious. Anti-malware services also need an overhaul. Simple scanning an app for a signature match is just as ineffective in the mobile world as it is in the desktop world. There needs to be an effort put to extend behavior-based detections to the consumer market to help remove these pivots. Banking malware is not going anywhere as it is simply too easy given the current environment. We can only hope things change and soon.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.