According to a security firm, a malicious program downloaded more than 10,000 times from Google Play installed a remote access malware that collected users’ passwords, text messages, and other private data.

The trojan, which goes by the aliases TeaBot and Anatsa, was discovered in May of last year. It exploited Android’s accessibility services and leveraged streaming software to allow malware developers to remotely access compromised devices’ displays and interface with the operations they performed.

TeaBot was built at the time to steal data from roughly 60 banks throughout the world using a specified list of applications.

TeaBot is back to serve more malware

Security firm Cleafy reported on Tuesday that TeaBot was back. This time, it piggybacked on a malicious app called QR Code and Barcode Scanner, which users leverage to interact with QR codes and barcodes.

The app racked up more than 10,000 installations before the security firm found out about it and notified Google to remove it.

Cleafy researchers wrote about it, saying that one of the most significant differences compared to samples found in May 2021 is the increase in the number of targeted apps. They now include home banking apps, crypto wallets & exchanges, and insurance apps.

Unprecedented risk increases

The researchers continued to say that the number of apps TeaBot has targeted grew more than 500% (from 60 to more than 400 apps).

The bot started supporting new languages, including Mandarin Chinese, Russian, and Slovak, to show custom messages on hijacked devices in recent months.

Only two antimalware services were able to detect the malware in the apps, which flew under the radar by asking for a few permissions when it was downloaded. Since the reviews showed it as a legitimate app, regular users could not tell it was malicious at the time.