Remote access trojans, or RATs, can wreak havoc on your finances. Attackers come at you from every digital direction and the malware they cook up is often insidious in its adaptability. Android banking trojan TeaBot, which has been around since 2021, originally tried to lure users via "smishing," or fake SMS messages from innocent-looking services embedded with malicious links. Unfortunately, it hasn't been fully vanquished, as this year it acquired new methods for creeping onto your phone.

Cybersecurity experts with Cleafy recently published a new report on TeaBot that should put any Android user on guard. The team found that there's been a big jump in the number of TeaBot targets — at least 400 apps used for banking, cryptocurrency transactions, and digital insurance — and the malware has begun targeting victims in Russia, Hong Kong, and the United States.

TeaBot operates using "on-device fraud," manipulating accessibility services and the infected device's live-streaming ability in a way that permits attackers to remotely interact with phones and monitor them via key-logging. One of its latest known incarnations emerged via a QR code app on the Play Store, functioning as a poison pill-like dropper for the malware.

Screengrabs depicting malware-infested app
Source: Cleafy.com

Users stumbling across the listing probably thought they were downloading a legit-looking QR Code & Barcode Scanner. When it first hits your phone, it is harmless, and even does its intended job — that's how attackers sneak it into the store. As you can see above, this scanner app was at least 10,000 installations strong and reviews for it revealed no red flags. Unfortunately, this is like buying a perfectly functional alarm clock that tricks you into loading it with a bomb.

Upon download, the app issues a popup requesting you install an add-on. While that's not a red flag in and of itself, innocent apps typically install such software via the Google Play Store, while this one tries to trick you into a sideload. A redirection like that can signal the likely presence of a trojan dropper, and here the add-on contains TeaBot.

Once in, the malware goes to work, accessing permissions for your phone's accessibility services, which lets it seize control of your screen. It can then record fun stuff like logins, SMS, and two-factor authentication codes. This extra-sneaky 2022 incarnation of the RAT picks up new language capabilities (Russian, Mandarin Chinese) to go along with its newly-targeted countries, and can sometimes evade conventional detection by standard anti-malware apps.

If you have this app installed, which was listed as a product of "QR Barcode Scanner Bussiness [sic] LLC," delete it immediately to avoid strangers buying who-knows-what on your dime (and honestly, maybe think about a full factory wipe). While the exact QR Code app seen in Cleafy's screengrab appears to have been removed from the Play Store, it's a reasonable bet that any app that immediately asks you to install something via unknown sources might be suspect.