Have you installed this malicious Android 2FA authentication app?

Google received a wake-up call this week over the security of the Google Play Store after a malicious Android app remained available for download for 15 days. Meanwhile, over 10,000 people installed the app believing it to be a legitimate two-factor authentication solution.

Like ZDNet Reportscybersecurity company Pradeo discovered the malicious application, which is called the 2FA authenticator. The app’s Google Play Store page (which thankfully is no longer available) describes it as “a secure authenticator for your online services, while including some features missing in existing authenticator apps, such as encryption and appropriate safeguards”. However, that was just a front for the app’s real purpose: to steal your financial information.

There is a legitimate app called Aegis Authenticator, which offers to manage your verification tokens in two steps. It’s free and open source, so the developers of 2FA Authenticator decided to take full advantage of it. They copied the open source code used for Aegis and injected malicious code into it. The end result is an app that can pass Google’s Play Store security checks, but could become malicious once installed on a user’s Android phone or tablet.

Upon installation, the app asks for “critical permissions” for a device, which allows it to perform a number of tasks, including disabling key lock and password security, downloading third-party apps and updates, continuing to work in the background even after the user has left the app, and the ability to place an overlay on other app interfaces. This is how to get access to a user’s data.

If 2FA Authenticator finds that a device meets multiple conditions, a Remote Access Trojan (RAT) called Vulture is downloaded and installed without the knowledge of the user. Vultur uses screen recording and keylogging to record details entered in banking apps allowing the criminals behind this app to drain bank accounts or cryptocurrency wallets.

Recommended by our editors

If this is an app you have installed, the advice is clear: uninstall it immediately and contact all financial/banking services you access through your Android device to ensure your accounts have not been compromise.

Security Watch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2021-09-30T21:22:09.000000Z","last_published_at":"2021-09-30T21:22:03.000000Z","created_at":null,"updated_at":"2021-09-30T21:22:09.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 font-brand mt-8 container-xs">
Do you like what you read ?

Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use and Privacy Policy. You can unsubscribe from newsletters at any time.

About Donald J. Beadle

Check Also

New Profile Pic app: Does Russia collect personal data from Facebook users?

It’s a new internet craze that turns your Facebook profile picture into a painting or …