2FA Authenticator App with 10,000 Downloads Spread Vultur Banking Trojan

By Riley ThompsonTechnology News

2FA Authenticator App from Google Play Spread Banking Trojan

The 2FA Authenticator app, downloaded about 10,000 times from the Google Play Store, offered working two-factor authentication but also secretly installed the Vultur banking trojan. This malware searched infected devices for financial data and other personal information.

Discovery and Functionality

Security analysts at Pradeo discovered the suspicious app. 2FA Authenticator appeared in the Google Play Store two weeks ago, presenting itself as an alternative to other 2FA apps from Google, Twilio, and other well-known companies.

The Vultur malware was first identified by ThreatFabric experts last year. One of its key features is the use of a real VNC screen-sharing implementation, allowing attackers to mirror the screens of infected devices. This means cybercriminals can collect credentials and other sensitive information from a victim’s device in real time.

How the App Worked

To make 2FA Authenticator look legitimate, it was built using the open-source code of the Aegis authenticator. Analysis showed that the app did indeed provide two-factor authentication as advertised. However, it also collected a list of all installed apps and geolocation data from the device. The app disabled the Android lock screen, downloaded third-party apps disguised as “updates,” and overlaid screens on other apps to confuse users.

If the infected device was in a targeted location and had specific apps installed, the second stage of the attack would install the Vultur banking trojan. Vultur was programmed to record everything happening on the screen whenever one of 103 banking, financial, or cryptocurrency apps was launched.

Warning Signs and Permissions

Researchers noted that the malicious nature of the app could be detected by the permissions it requested, which included:

  • permission.QUERY_ALL_PACKAGES
  • permission.SYSTEM_ALERT_WINDOW
  • permission.REQUEST_INSTALL_PACKAGES
  • permission.INTERNET
  • permission.FOREGROUND_SERVICE
  • permission.RECEIVE_BOOT_COMPLETED
  • permission.DISABLE_KEYGUARD
  • permission.WAKE_LOCK

Since Aegis is a simple, open-source tool, it should not require such extensive permissions. Another clear sign of malicious activity was the downloading of apps disguised as updates.

Removal and Impact

2FA Authenticator has now been removed from the official app store. However, between January 12 and January 26, 2022, about 10,000 users had already installed it.

Leave a Reply