A fraudulent two-factor authentication (2FA) app has been deleted from Google Play after being accessible for more than two weeks — but not until it was downloaded over 10,000 times. The Vultur stealer malware, which targets and swoops down on financial data, is put into the app, which is completely functioning as a 2FA authenticator.
Researchers at Pradeo warn users who have the malicious software, simply dubbed “2FA Authenticator,” to remove it immediately since they are still in danger — both from banking-login theft and other attacks are primarily driven by the app’s vast over-permissions.
Using open-source Aegis authentication code injected with malicious add-ons, the threat actors created an operable and convincing application to conceal the malware dropper. According to a Pradeo analysis issued on Thursday, this enabled it to grow unnoticed through Google Play.
“As a result, the application is successfully disguised as an authentication tool, which ensures it maintains a low profile,” the report added.
The Vultur banking trojan is installed after the software is downloaded, and it takes financial and banking data from the affected smartphone, among other things. The Vultur remote access trojan (RAT) malware, initially discovered by ThreatFabric investigators in March, was the first of its type to leverage keylogging and screen recording as its primary method for stealing banking data, allowing the organization to automate and expand the process of collecting credentials.
According to the Pradeo team, the fake 2FA authenticator also requests device rights that aren’t shown in the Google Play profile. The report explains that attackers can use those sneaky, elevated privileges to do things like access user location data so attacks can be targeted at specific regions, disable device lock and password security, download third-party apps, and take control of the device even if the app is shut down.
Pradeo unearthed another sneaky tactic used by the rogue 2FA by acquiring the SYSTEM_ALERT_WINDOW permission, which allows the app to modify the interfaces of other mobile apps. As Google itself explained, “Very few apps should use this permission; these windows are intended for system-level interaction with the user.”
The report revealed that after the device is completely infected, the app installs Vultur, “an advanced and relatively new kind of malware that mostly targets online banking interface to steal users’ credentials and other critical financial information.” The Pradeo team noted that while the researchers filed their discovery to Google Play, the malicious 2FA Authenticator app loaded with the banking malware remained available for 15 days.