Disguised malware targets Google Play apps
A trojan detected on Google Play has infected hundreds of financial and banking apps available to download from the store, a report has found.
Researchers at Cleafy shared the information with ThreatPost, claiming that 400 banking and financial apps – from Russia, the US and China, among other countries – had been compromised by the malware, known as TeaBot or Anatsa.
The banking trojan was thought to have gone dark since emerging last year, but has in fact been more active than ever, multiplying its haul of infected apps nearly sevenfold since being discovered.
TeaBot is thought to be especially persistent because it disguises itself as a legitimate entity – such as a software update, PDF reader or QR code – before issuing a payload of malware.
ThreatPost has described it as a “relatively straightforward malware designed to siphon banking, contact, SMS and other types of private data from infected devices.”
Google Play typically screens apps to root out malicious ones so it can bar them, but it is thought that TeaBot is difficult to detect because of its self-disguising ability, allowing it to attack Android mobile phone users at will.
“Real-time scanning of downloads – even if the app doesn’t originate from Google Play – would help to mitigate this issue,” Shawn Smith of cybersecurity firm nVisium told Threatpost, adding that “additional warning messages when installing app add-ons that aren’t on Google Play could be useful, too.”
Other industry experts have called on Google to run lists of hard-coded IP addresses and cross-reference these with other sources, to determine if threat actors are behind permission requests to run apps.
More from Cybernews:
Subscribe to our newsletter