Urian B., Tech Times

A fake 2FA authenticator was found to be downloaded 10,000 times from Google Play. The app was known to install a banking-fraud trojan that looks for financial data and other personal information on the infected device. 

Fake 2FA Authenticator App Downloaded from Google Play

The security firm Pradeo said that the fake app "surreptitiously" installed a popular trojan that looks for financial data and personal information on infected devices. The 2FA Authenticator went live two weeks ago on Google Play as an alternative to other legitimate 2FA apps from trusted companies like Twilio and Google.

According to the story by ArsTechnica, the app steals personal information. It uses it to determine whether infected phones should proceed to download and install a banking trojan that has already infected thousands of different phones in the past.

App Installs an Advanced Pice of Android Malware

ThreatFabric, a security firm, discovered Vultur, an advanced piece of Android malware. As per the publication, many of its innovations include the use of a real implementation of the VNC screen-sharing app that works by mirroring screens of infected devices for attackers to see login credentials and other sensitive data from finance and banking apps in real-time.

In order for the fake app to look natural, developers started with a legitimate sample, as seen on Github, of "the open-source Aegis authentication app." With that, the malware analysis showed that the fake app was programmed to provide the advertised authentication service.

Fake App Checks for Financial, Cryptocurrency, and Banking Apps

Behind the scenes, the app collects a list of different apps installed within the app, including the device's geographical location. The app also disables the Android lock screen, downloads certain third-party apps hiding them as "updates," and overlays other interfaces to confuse the victims.

If the devices go back to the locations and the right apps were installed, 2FA Authenticator would then install Vultur as stage two. Vultur was programmed to record Android device screens when any of the 103 different financial, cryptocurrency, or banking apps are running in the background.

Read Also: At Least $770 Million was Stolen by Social Media Scammers in 2021 | 95,000 People Fell Victim

App Installed 10,000 Times on Google Play

As per Pradeo, the 2FA Authenticator went live on Jan. 12, with researchers notifying Google that the app was malicious on Jan. 26. With that, the company removed the app after about 12 hours.

The app was installed around 10,000 times when it was available in Google Play. As of the moment, it isn't clear if the company notified all users that the security app was a banking-fraud trojan.

There were red flags that experienced Android users have spotted in the 2FA Authenticator that showed signs that it was malicious. One of them was the extraordinary number of system permissions that the app requires.

Related Article: Lawsuit Against Google Alleges Deceiving Users by Collecting Location Date Despite Tracking Disabled

This article is owned by Tech Times

Written by Urian B.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags: Fake 2FA Authenticator Trojan
Join the Discussion