{
	"id": "c6579e41-c898-4e35-8657-34dce5f33888",
	"created_at": "2026-04-06T00:17:28.897495Z",
	"updated_at": "2026-04-10T13:12:49.500241Z",
	"deleted_at": null,
	"sha1_hash": "32babdb9fd368a0e447fe37adfdf7ba0e5456940",
	"title": "Play Store App Serves Teabot Via GitHub",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2912205,
	"plain_text": "Play Store App Serves Teabot Via GitHub\r\nPublished: 2022-05-13 · Archived: 2026-04-02 11:10:22 UTC\r\nWe at K7 Labs recently came across this twitter post aboutTeabot (aka ‘Anatsa’) a banking Trojan. The main\r\ninfection vector of Teabot was found on the official Google Play Store where it posed as QR Code \u0026 BarCode\r\nScanner app with 10,000+ downloads as shown in Figure 1.\r\nFigure 1:  QR Code \u0026 BarCode Scanner from Google Play Store\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 1 of 10\n\nOnce launched, this app requests the user to update itself via a popup message as shown in Figure 2.\r\nFigure 2: Update message popup\r\nWhen the user clicks on the “Update” message this application downloads and installs the malicious Teabot\r\nBanking Trojan “main.apk” as shown in Figure 2.\r\nFrom the ADB Logcat report we noticed that the malware file “main.apk” gets downloaded from a GitHub\r\nrepository as shown in Figure 3.\r\nFigure 3: ADB Logcat shows malware sample download URL\r\nFigure 4 shows the repository was created by mattiebryan4570, at the time of writing this blog the GitHub\r\nrepository was still live.\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 2 of 10\n\nFigure 4: GitHub repository where the malware sample was hosted\r\nIn this blog, we will be analyzing the package “com.joy.slab” corresponding to the main.apk which has been\r\ndownloaded from the above mentioned GitHub repository as shown in Figure 5.\r\nFigure 5: Malicious APK downloaded from GitHub\r\nOnce the Teabot malware is installed on the device, the app downloads itself as a QR-Code Scanner: Add-On\r\nwhich frequently brings up the Accessibility Service setting option on the device, as shown in Figure 6, until the\r\nuser allows this app to have the Accessibility Service enabled. \r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 3 of 10\n\nFigure 6: Request for accessibility service\r\nOnce the permissions are granted, this malicious apk decrypts the malicious payload file called eepHM.json from\r\nthe app’s assets folder to an executable dex format named ‘eepHM.odex’ and loads the decrypted file as shown in\r\nFigure 7.\r\nFigure 7: The logcat image shows the eepHM.odex file execution at runtime\r\nThe trojan then attempts to intercept SMS messages and aborts the new SMSReceived broadcast to the victim; as\r\nper the bot command “logged_sms” as shown in Figure 8.\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 4 of 10\n\nFigure 8: Intercept SMS messages\r\nAfter abusing the Android Accessibility Service, this trojan acts as a keylogger to steal the victim’s keystroke\r\ninformation from the device.\r\nFigure 9:  Keylogger functionality\r\nC2 Communication\r\nTeabot enumerates the list of installed applications on the victim’s device and then sends this list to the C2 server\r\nduring its first communication. All the communications between C2 and the malware remain encrypted using an\r\nXOR key as shown in Figure 10. When one or more targeted apps are found, the C2 server sends the specific\r\npayload(s) to the victim’s device to perform an overlay attack and track all the activity related to the identified\r\ntargeted application(s).\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 5 of 10\n\nFigure 10: List of installed apps sent encrypted by the malware and the decrypted data\r\nThe following are the targeted applications in a typical victim’s device\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 6 of 10\n\nFigure 11 : Targeted applications\r\nThis malware also terminates a predefined list of apps’ process(es), as shown in Figure 12. Interestingly, that list\r\nincludes a few popular security products as highlighted below, in order to remain undetected.\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 7 of 10\n\nFigure 12: Apps list terminated\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 8 of 10\n\nFigure 13: Security related apps list\r\nAt K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a\r\nreputable security product like K7 Mobile Security and scan your devices with it. Also keep your security product\r\nand devices updated and patched for the latest vulnerabilities to stay safe from such threats.\r\nIndicators of Compromise (IoCs)\r\nPackage Name Hash K7 Detection Name\r\ncom.zynksoftware.docuscanapp     13DF6443BF24D0E49566735B93F22646\r\nTrojan-Downloader (\r\n0058d95d1 )\r\ncom.joy.slab 04F4FB5E6CB95DFF7CCEE97B1F7D3636 Trojan ( 0053b5f91 ) \r\nC2 \r\nhxxp://62[.]182[.]81[.]71/api/\r\nhxxp://185[.]215[.]113[.]31:83/api\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 9 of 10\n\nSource: https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/"
	],
	"report_names": [
		"play-store-app-serves-teabot-via-github"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434648,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32babdb9fd368a0e447fe37adfdf7ba0e5456940.pdf",
		"text": "https://archive.orkl.eu/32babdb9fd368a0e447fe37adfdf7ba0e5456940.txt",
		"img": "https://archive.orkl.eu/32babdb9fd368a0e447fe37adfdf7ba0e5456940.jpg"
	}
}