A notorious Android banking trojan designed to steal user data, like passwords and text messages, has been discovered in Google Play and downloaded thousands of times.
The TeaBot banking trojan, also known as Anatsa and Toddler, was first observed in May 2021 targeting European banks by stealing two-factor authentication codes sent by text message. A new report from Cleafy, an online fraud management and prevention solution, now says the malware has evolved to include distribution via a second-stage malicious payload, and is now targeting users in Russia, Hong Kong and the United States.
Cleafy says that while the malware was previously distributed through SMS-based phishing campaigns using a number of common apps as lures, such as TeaTV, VLC Media Player and shipping apps like DHL and UPS, its researchers say the malicious Google Play app was acting as a “dropper” to deliver TeaBot by way of a fake in-app update. Droppers are apps that appear legitimate, but in fact deliver a second-stage malicious payload.
The app, “QR Code & Barcode – Scanner,” since removed, managed to pull in more than 10,000 downloads by the time it was discovered. But because the app offers the promised functionality, nearly all of the app’s reviews are positive.
Although the app looks legitimate, it immediately requests permission to download a second application, “QR Code Scanner: Add-On,” which includes multiple TeaBot samples. Once installed, TeaBot asks for permissions to view and control the device’s screen to retrieve sensitive information such as login credentials, SMS messages and two-factor codes. It also abuses Android’s accessibility service, similar to other malicious Android apps, to request permissions that allow the malware to record keyboard entries.
“Since the dropper application distributed on the official Google Play Store requests only a few permissions and the malicious app is downloaded at a later time, it is able to get confused among legitimate applications and it is almost undetectable by common antivirus solutions,” Cleafy warns.
TechCrunch contacted Google for comment but did not receive a response, but the app appears to have been removed from Google Play.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Cleafy says TeaBot is now targeting over 400 applications, including home banking apps, insurance apps, crypto wallets and crypto exchanges, an increase of more than 500% in less than a year.
How a simple security bug became a university campus ‘master key’
