As explained by BleepingComputer, following its installation, the application asks for an update via a popup message, but contrasting with the usual procedure imposed by the Play Store rules, the update is fetched from an external source.
The download source was traced back to two GitHub repositories belonging to the same user (feleanicusor), which contained numerous TeaBot samples, uploaded on February 17, 2022.
When the victim approves the installation of an update from an untrusted source, the TeaBot banking trojan is installed on their device as a new app called ‘QR Code Scanner: Add-On.’
The new app launches automatically and asks for permission to use the Accessibility Services in order to visualize the device’s screen and capture screenshots that disclose logins, 2FA codes, text messages, and other sensitive information.
It will also perform actions in the background, such as auto-granting additional authorizations, without needing user interaction.
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.