Getty Images
Security firm Pradeo says a fake two-factor authentication app that has been downloaded about 10,000 times from Google Play secretly installed a known banking fraud Trojan that searches infected phones for financial data and other personal information .
2FA authenticator Go live on Google Play Two weeks ago, posing as an alternative to legitimate 2FA apps Google, Tevilioand other trusted companies.In fact, researchers from the security firm Pradeo said thursdayan app that steals personal data from a user’s device and uses it to determine if an infected phone should download and install a banking Trojan that has infected thousands of phones in the past.
Vultures are circling
found last year Presented by security firm ThreatFabric, Vultur is an advanced Android malware. One of its many innovations is that it uses a real-world implementation of a VNC screen-sharing application to mirror the screen of an infected device so that attackers can collect login credentials and other sensitive data from banking and financial applications in real-time.
In order to make 2FA Authenticator look real, its developers started this legitimate sample Open source Aegis authentication application. Analysis of the malware revealed that it was indeed programmed to provide the authentication service it advertised.
Behind the scenes, however, the first phase of 2FA Authenticator collects a list of apps installed on the device and the device’s geographic location. The app will also disable the Android lock screen, download third-party apps under the guise of “updates,” and overlay other mobile app interfaces to confuse users.
The second stage of 2FA Authenticator installs Vultur if the infected phone is in the right location and has the right app installed, and the final check is programmed to run on any of 103 banking, financial or cryptocurrency apps Record Android device screen in foreground.
2FA Authenticator went live on Jan. 12, and company researchers notified Google on Jan. 26 that the app was malicious, and Google removed it about 12 hours later, Pradeo said. About 10,000 users installed the app within two weeks of its launch on Play. It’s unclear whether Google notified any of them that the security app they believed was actually a banking fraud Trojan.
In retrospect, experienced Android users may have found 2FA Authenticator malicious. Chief among them is the number and breadth of system permissions it requires. They include:
- android.permission.QUERY_ALL_PACKAGES
- android.permission.SYSTEM_ALERT_WINDOW
- android.permission.REQUEST_INSTALL_PACKAGES
- android.permission.INTERNET
- android.permission.FOREGROUND_SERVICE
- android.permission.RECEIVE_BOOT_COMPLETED
- android.permission.DISABLE_KEYGUARD
- android.permission.WAKE_LOCK
Official Aegis open source application code does not require these permissions. App downloads pretending to be updates could be another sign of a problem with 2FA Authenticator.
A Google Play user’s review of 2FA Authenticator.
Pradeo
An email seeking comment from a developer address listed on Google Play did not receive an immediate response.The same malicious 2FA Authenticator app is still available in third-party marketplaces here, hereand hereA Google representative had no immediate comment.
