Tuesday, June 25, 2024

2FA Authenticator on GooglePlay Store loaded well-known banking trojan

A fake two-factor-authentication app that has been downloaded over 10,000 times from Google Play surreptitiously installed a known banking-fraud trojan that scoured infected phones for financial data and other personal information, security firm Pradeo said.

2FA Authenticator offered real 2FA functionality, but this time it came with strings attached.

2FA Authenticator went live on Google Play two weeks ago, posing as an alternative to legitimate 2FA apps from GoogleTwilio, and other trusted companies. In fact, researchers from security firm Pradeo said on Thursday, the app steals personal data from user devices and uses it to determine whether infected phones should download and install a banking trojan already known to have infected thousands of phones in the past.

The vulturs are circling

Vultur is an advanced piece of Android malware. One of its many innovations is its use of a real implementation of the VNC screen-sharing application to mirror screens of infected devices so attackers can glean in real time the login credentials and other sensitive data from banking and finance apps.

To make 2FA Authenticator look real, its developers started with this legitimate sample of the open source Aegis authentication application. An analysis of the malware shows that it really was programmed to provide the authentication service it advertised.

Malicous 2FA Authenticator Continued

Behind the scenes, however, stage one of the 2FA Authenticator collected a list of apps installed on the device along with the device’s geographic location. The app would also disable the Android lock screen, download third-party apps with the pretense they were “updates,” and overlay other mobile app interfaces to confuse users.

Recommended:  Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers

In the event infected phones were in the right locations and had the right apps installed, stage two of 2FA Authenticator would install Vultur, which at last check was programmed to record Android device screens when any of 103 banking, financial, or cryptocurrency apps are running in the foreground.

Pradeo said that 2FA Authenticator went live on January 12, that company researchers notified Google that the app was malicious on January 26, and that Google removed it about 12 hours later. Over the two weeks it was available in Play, the app was installed by about 10,000 users. It’s not clear if Google has notified any of them that the security app they thought they were getting was, in fact, a banking-fraud trojan.

In retrospect, there were red flags that experienced Android users could have spotted that 2FA Authenticator was malicious. Chief among them were the extraordinary number and breadth of system permissions it required. They included:

  • android.permission.QUERY_ALL_PACKAGES
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.REQUEST_INSTALL_PACKAGES
  • android.permission.INTERNET
  • android.permission.FOREGROUND_SERVICE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.DISABLE_KEYGUARD
  • android.permission.WAKE_LOCK

The official Aegis open source app code requires none of these permissions. App downloads posing as updates might be another telltale sign that something was amiss with 2FA Authenticator.

A Review on Google Play Store

An email seeking comment from the developer address listed in the Google Play listing didn’t receive an immediate response. The same malicious 2FA Authenticator app remains available in third-party marketplaces herehere, and here. Google representatives weren’t immediately available for comment.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Recommended:  Yes, Your Home Security Cameras Can Be Hacked


Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates