We at K7 Labs recently came across this twitter post aboutTeabot (aka ‘Anatsa’) a banking Trojan. The main infection vector of Teabot was found on the official Google Play Store where it posed as QR Code & BarCode Scanner app with 10,000+ downloads as shown in Figure 1.

Figure 1:  QR Code & BarCode Scanner from Google Play Store

Once launched, this app requests the user to update itself via a popup message as shown in Figure 2.

Figure 2: Update message popup

When the user clicks on the “Update” message this application downloads and installs the malicious Teabot Banking Trojan “main.apk” as shown in Figure 2.

From the ADB Logcat report we noticed that the malware file “main.apk” gets downloaded from a GitHub repository as shown in Figure 3.

Figure 3: ADB Logcat shows malware sample download URL

Figure 4 shows the repository was created by mattiebryan4570, at the time of writing this blog the GitHub repository was still live.

Figure 4: GitHub repository where the malware sample was hosted

In this blog, we will be analyzing the package “com.joy.slab” corresponding to the main.apk which has been downloaded from the above mentioned GitHub repository as shown in Figure 5.

Figure 5: Malicious APK downloaded from GitHub

Once the Teabot malware is installed on the device, the app downloads itself as a QR-Code Scanner: Add-On which frequently brings up the Accessibility Service setting option on the device, as shown in Figure 6, until the user allows this app to have the Accessibility Service enabled. 

Figure 6: Request for accessibility service

Once the permissions are granted, this malicious apk decrypts the malicious payload file called eepHM.json from the app’s assets folder to an executable dex format named ‘eepHM.odex’ and loads the decrypted file as shown in Figure 7.

Figure 7: The logcat image shows the eepHM.odex file execution at runtime

The trojan then attempts to intercept SMS messages and aborts the new SMSReceived broadcast to the victim; as per the bot command “logged_sms” as shown in Figure 8.

Figure 8: Intercept SMS messages

After abusing the Android Accessibility Service, this trojan acts as a keylogger to steal the victim’s keystroke information from the device.

Figure 9:  Keylogger functionality

C2 Communication

Teabot enumerates the list of installed applications on the victim’s device and then sends this list to the C2 server during its first communication. All the communications between C2 and the malware remain encrypted using an XOR key as shown in Figure 10. When one or more targeted apps are found, the C2 server sends the specific payload(s) to the victim’s device to perform an overlay attack and track all the activity related to the identified targeted application(s).

Figure 10: List of installed apps sent encrypted by the malware and the decrypted data

The following are the targeted applications in a typical victim’s device

Figure 11 : Targeted applications

This malware also terminates a predefined list of apps’ process(es), as shown in Figure 12. Interestingly, that list includes a few popular security products as highlighted below, in order to remain undetected.

Figure 12: Apps list terminated
Figure 13: Security related apps list

At K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a reputable security product like K7 Mobile Security and scan your devices with it. Also keep your security product and devices updated and patched for the latest vulnerabilities to stay safe from such threats.

Indicators of Compromise (IoCs)

Package Name Hash K7 Detection Name
com.zynksoftware.docuscanapp     13DF6443BF24D0E49566735B93F22646 Trojan-Downloader ( 0058d95d1 )
com.joy.slab 04F4FB5E6CB95DFF7CCEE97B1F7D3636 Trojan ( 0053b5f91 ) 






Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Play Store App Serves Teabot Via GitHub”