Update: After this story was published on March 2, Google has removed the app containing TeaBot from the Google Play Android App Store.
Two more Android banking Trojans have appeared on the Google Play Store, according to security researchers.
One malicious app was downloaded more than 50,000 times before it was kicked out of Google Play last week, while the second app was called out QR Code & Barcode Scanner It was incredibly still in Google Play at the time of writing and aimed at American users.
The first app, called Fast Cleaner, says it aims to “speed up the device by clearing unused clutter and removing battery optimization blocks,” according to a report last week from security firm ThreatFabric.
Fast Cleaner works as promised, but it also contains a dropper, which is malware designed to secretly install other software on the device without the user’s knowledge. According to ThreatFabric analysis, Fast Cleaner’s main payload was a new type of banking Trojan that ThreatFabric named “Xenomorph” after the starving protagonist in the Alien movie series.
Xenomorph uses screen overlays to trick the user into typing usernames and passwords, collects information about infected devices and reads users’ text messages. With these powers, he can obtain login credentials for bank accounts and webmail accounts. It can also capture and hide temporary PINs used for two-factor authentication, as well as other notifications sent to your phone.
ThreatFabric has decoded Xenomorph code and found that it can generate disguised fake screens that look like nearly 60 different apps produced by banks in Belgium, Italy, Portugal and Spain. It can also forge (and steal custom credentials) for Gmail, Google Play, Hotmail, Mail.com, Microsoft Outlook, PayPal, and Yahoo Mail.
Another popular Android banking Trojan, TeaBot, returned to Google Play last month after being previously kicked out, according to Italian security firm Cleafy.
Despite Cleafy’s report, the malware is still present on Google Play in the form of an app called “QR Code & Barcode – Scanner”, although there are many apps with similar names and functions. It has been downloaded more than 10,000 times and is accompanied by many user reviews, half of which give the app five stars. (After publishing this story, the app has been removed).
Like Fast Cleaner, QR Code & Barcode Scanner is a dropper that avoids Google Play’s scanning mechanics by doing nothing malicious after you install it – at least for a while.
But in the end, according to Cleafy’s report, it asks for the user’s permission to install an “add-on” that requires the user to allow software to be downloaded from an unknown source – which happens in the TeaBot Banking Trojan.
Bad move! Deceiving you to allow unknown sources is the way the bad guys notify you. Additionally, once the malicious “add-on” is installed, it abuses Android’s accessibility settings (intended for blind or deaf users) to control the phone’s screen, interact with other apps, and intercept text messages.
This means, like Xenomorph, that TeaBot can not only capture login credentials for bank accounts, webmail, social media, and other sensitive accounts, but can also disable sent or generated two-factor authentication codes intended to prevent bad guys from logging in with passwords. stolen.
TeaBot originally targeted banks in Spain, Germany and Italy when it debuted in mid-2021, Cleafy noted, but the malware has spread and is now focused on the United States.
How to detect, avoid and remove malicious Android apps
Naturally, you’ll need to make sure that you don’t download any of these malicious apps from Google Play or the “off-road” Android App Store. You will also need to uninstall either from your devices if they are installed.
Android apps often share similar or identical names, but the one thing they can’t share is their unique package name, which is how Android and Google Play can differentiate the apps.
QR Code & Barcode – The name of the scanner package is “com.scanner.buratoscanner”. Fast Cleaner uses four package names: “com.
In the Google Play Store, the package name is part of the URL of each app’s menu page, for example “https://play.google.com/store/apps/details?id=com.scanner.buratoscanner”.
Many Android app stores follow similar rules, so if you come across an app with any of these five package names in URLs, avoid them.
Detecting the name of the Android app package that is already installed on your phone is a workaround. Open the Play Store app on your phone, tap on your avatar in the upper right corner, tap on “Manage apps and device” and then tap on “Manage.”
You will see a list of all installed applications. Tap anyone to view their Google Play page, tap the three vertical dots in the top right and tap Share.
A menu will slide out from the bottom of the screen with a URL starting “https://play.google.com/store/apps/” which should be partially visible. Click the icon that looks like two nested squares to the right of the URL to copy the URL to the clipboard.
Now paste this URL into any text file – it can be a note, Word, Google Doc, or even an email. You should be able to see the full URL of the Google Play Store page for the app, and the end of the URL should contain the app’s package name.
Needless to say, if an app has the same package name as one of the five malicious apps mentioned above, you’ll need to uninstall it. You can do this directly from the Google Play app.
To protect against infection from malicious apps, it is a good idea to install one of the best antivirus apps for Android. Google has a built-in program called Google Play Protect, but it obviously doesn’t work very well.