An attendee inspects the Nexus 5X phone during a Google media event on Sept. 29, 2015, in San Francisco. (Photo by Justin Sullivan/Getty Images)

The TeaBot banking malware that steals the credentials of Android device users is evolving and spreading to other applications and countries, researchers said in a March 1 blog post.

Researchers at Cleafy Labs said TeaBot, first observed in early 2021 targeting banks in Europe through SMS messages, is now targeting more than 400 applications and has been detected in Russia, Hong Kong and the United States.

Initially using a list of lures, such as TeaTV, VLC Media Player and others, via smishing campaigns, the remote access trojan (RAT) livestreams the device’s screen to give the threat actors credentials to take over the device. 

But recent samples show the malware has evolved to include distribution via a QR code scanning app in the Google Play Store. After downloading the app, TeaBot requests to download and install a second application from GitHub, which has multiple TeaBot samples. Once installed, TeaBot asks for permissions to view and control the device’s screen to retrieve login credentials, SMS and two-factor authentication. 

Cleafy researchers noted that the biggest difference when compared with TeaBot samples from May 2021 is that it’s targeting over 400 applications, a 500% increase from the 60 targets first observed, and now includes home banking apps, insurance apps, crypto wallets and crypto exchanges.