This nasty Android malware steals your passwords — what you need to know [Update]

Green skull on smartphone screen.
(Image credit: Shutterstock)

UPDATE: After this story was published March 2, Google removed the app containing TeaBot from the Google Play Android app store.

Two more Android banking Trojans have turned up in the Google Play Store, report security researchers. 

One malicious app was downloaded more than 50,000 times before being kicked out of Google Play last week, while the second app called QR Code & Barcode - Scanner was incredibly still in Google Play at the time of this writing and is targeting American users.

The first app, called Fast Cleaner, says it aims for "speeding up the device by removing unused clutter and removing battery optimization blocks," according to a report last week from security firm ThreatFabric

Fast Cleaner works as promised, but it also contains a dropper, which is malware designed to secretly install other programs on a device without the user's knowledge. According to ThreatFabric's analysis, Fast Cleaner's chief payload was a new type of banking Trojan that ThreatFabric called "Xenomorph" after the hungry protagonist of the Alien movie series.

Xenomorph uses screen overlays to deceive the user into typing in usernames and passwords, collects information about infected devices and reads users' text messages. With these powers, it can capture login credentials for bank and webmail accounts. It can also capture and hide the temporary PINs used in two-factor authentication, plus other notifications, texted to your phone.

ThreatFabric took apart Xenomorph's code and found that it could generate convincing fake screens that looked like nearly 60 different apps made by banks in Belgium, Italy, Portugal and Spain. It also could fake (and steal credentials meant for) the Gmail, Google Play, Hotmail,, Microsoft Outlook, PayPal and Yahoo Mail apps.

Unwelcome return

The other Android banking Trojan, TeaBot, is better known and made a return to Google Play last month after previously having been kicked out, reports Italian security firm Cleafy

TeaBot can capture not only the login credentials for bank accounts, webmail and social media, but also snag two-factor-authentication codes meant to block bad guys from logging in with stolen passwords.

Despite Cleafy's report, the malware is still in Google Play in the form of an app called "QR Code & Barcode - Scanner", although there are many apps with similar names and functions. It's been downloaded more than 10,000 times and is accompanied by several user reviews, half of which give the app five stars. (Following publication of this story, the app was removed.)

Like Fast Cleaner, QR Code & Barcode - Scanner is a dropper that evades Google Play's screening mechanisms by not doing anything malicious after it is installed — at least for a while. 

But eventually, reports Cleafy, it requests the user's permission to install an "add-on" that requires the user to allow downloading software from an unknown source — which happens to be the TeaBot banking Trojan. 

Bad move! Tricking you into allowing unknown sources is how the bad guys get you. Plus, once the malicious "add-on" is installed, it abuses Android's accessibility settings (intended for blind or deaf users) to seize control of the phone's screen, interact with other apps, and intercept text messages. 

That means, like Xenomorph, TeaBot can capture not only the login credentials for bank accounts, webmail, social media and other sensitive accounts, but also snag the texted or generated two-factor-authentication codes that are meant to block bad guys from logging in with stolen passwords.

TeaBot originally targeted banks in Spain, Germany and Italy when it first appeared in mid-2021, noted Cleafy, but the malware has spread its wings and now focuses on the United States. 

How to spot, avoid and remove malicious Android apps

Naturally, you will want to make sure you don't download either of these malicious apps from either Google Play or an "off-road" Android app store. You'll also want to uninstall either from your devices if they happen to be installed.

Android apps often share similar or identical names, but one thing they can't share is their unique package name, which is how Android and Google Play can tell apps apart. 

QR Code & Barcode - Scanner's package name is "com.scanner.buratoscanner". Fast Cleaner uses four package names: "com.census.turkey", "com.laundry.vessel", "com.tip.equip" and "com.spike.old".

In the Google Play store, the package name is part of the URL of each app's listing page, e.g. "". 

Many other Android app stores follow similar conventions, so if you come across an app with any of those five package names in the URLs, avoid them.

Figuring out the package name of Android apps already installed on your phone is a bit of a workaround. Open the Play Store app on your phone, tap your own avatar in the upper right corner, tap "Manage apps & device" and then tap "Manage".

You'll see a list of all installed apps. Tap any one to bring up its Google Play page, then tap the three vertical dots in the upper right and tap "Share". 

A menu will slide up from the bottom of the screen with a URL beginning "" that should be partly visible. Tap the icon that looks like two nested squares to the right of the URL to copy the URL to the Clipboard. 

Now paste that URL into any text file — it can be a note, a Word or Google doc or even an email message. You should be able to see the full URL of the app's Google Play Store page, and the end of the URL should contain the app's package name.

Needless to say, if an app has the same package name as one of the five malicious apps listed above, you'll want to uninstall it. You can do that right from the Google Play app.

To guard against infection from malicious apps, it helps to have one of the best Android anti‏virus apps installed. Google has a built-in one called Google Play Protect, but it obviously doesn't work very well.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.