Applications that offer two-factor authentication (2FA) should be able to provide additional security for mobile phones. But the 2FA Authenticator application circulating on the Google Play Store actually contains data stealing malware.
On the cached page of the 2FA Authenticator app on the Google Play Store, this app claims to be able to provide authenticators for various online services, as well as encryption and backup. This application also claims to be able to import data from other authenticators such as Google Authenticator, Microsoft Authenticator, Authy, and Steam.
This rogue app was discovered by researchers from cybersecurity firm Pradeo. 2FA Authenticator actually functions normally like any other authenticator app, but it also acts as a dropper for the Vultur malware designed to steal banking data.
"This application has been developed to look genuine and provide a true service," said Pradeo researchers in the report, as quoted from ZDNet, Monday (31/1/2022).
"To do so, the developers used the open-source code of the official Aegis authentication app which they injected with malicious code. As a result, this app was successfully disguised as an authentication tool that ensures it remains low profile," he continued.
Once the user installs the 2FA Authenticator app, it will attack in two stages. First, the app will request a range of access permissions from the user, including camera and biometric access, the ability to tamper with system alerts, query packets, and the ability to turn off the keylock.
This access permission allows malware to perform several actions, including collecting local data for targeted attacks, turning off keylock and password security, downloading external applications, and creating overlay windows on top of other application windows.
After all these access permissions are granted, the dropper then installs the Vultur malware. According to a ThreatFabric report, Vultur is a remote access trojan (RAT) that is relatively new to the malware landscape.
Vultur was one of the first malware to use keylogging and screen recording as its main tactics to steal banking data. This tactic may take longer than using the more common overlays to find, but it helps make Vulturs even more difficult to detect.
Vultur malware typically attacks European banking institutions and a range of crypto wallet platforms to steal victims' credentials and other important financial information.
Pradeo said the 2FA Authenticator app has now been removed from the Google Play Store. But before being kicked, this application has been circulating for at least 15 days on the Play Store and downloaded more than 10,000 times.
Users who have already installed this malicious application are asked to immediately remove it from the phone.