2FA app with 10,000 Google Play downloads loaded well-known banking trojan


2FA app with 10,000 Google Play downloads loaded well-known banking trojan

Getty Photos

A faux two-factor-authentication app that has been downloaded some 10,000 instances from Google Play surreptitiously put in a identified banking-fraud trojan that scoured contaminated telephones for monetary information and different private info, safety agency Pradeo stated.

2FA Authenticator went dwell on Google Play two weeks in the past, posing as an alternative choice to respectable 2FA apps from Google, Twilio, and different trusted firms. Actually, researchers from safety agency Pradeo stated on Thursday, the app steals private information from person gadgets and makes use of it to find out whether or not contaminated telephones ought to obtain and set up a banking trojan already identified to have contaminated 1000’s of telephones prior to now.

The vulturs are circling

Found final yr by safety agency ThreatFabric, Vultur is a sophisticated piece of Android malware. One among its many inventions is its use of an actual implementation of the VNC screen-sharing software to reflect screens of contaminated gadgets so attackers can glean in actual time the login credentials and different delicate information from banking and finance apps.

To make 2FA Authenticator look actual, its builders began with this respectable pattern of the open supply Aegis authentication software. An evaluation of the malware reveals that it actually was programmed to offer the authentication service it marketed.

Behind the scenes, nonetheless, stage one of many 2FA Authenticator collected a listing of apps put in on the gadget together with the gadget’s geographic location. The app would additionally disable the Android lock display screen, obtain third-party apps with the pretense they have been “updates,” and overlay different cell app interfaces to confuse customers.

Within the occasion contaminated telephones have been in the fitting areas and had the fitting apps put in, stage two of 2FA Authenticator would set up Vultur, which finally verify was programmed to file Android gadget screens when any of 103 banking, monetary, or cryptocurrency apps are working within the foreground.

Pradeo stated that 2FA Authenticator went dwell on January 12, that firm researchers notified Google that the app was malicious on January 26, and that Google eliminated it about 12 hours later. Over the 2 weeks it was accessible in Play, the app was put in by about 10,000 customers. It’s not clear if Google has notified any of them that the safety app they thought they have been getting was, actually, a banking-fraud trojan.

On reflection, there have been purple flags that skilled Android customers may have noticed that 2FA Authenticator was malicious. Chief amongst them have been the extraordinary quantity and breadth of system permissions it required. They included:

  • android.permission.QUERY_ALL_PACKAGES
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.REQUEST_INSTALL_PACKAGES
  • android.permission.INTERNET
  • android.permission.FOREGROUND_SERVICE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.DISABLE_KEYGUARD
  • android.permission.WAKE_LOCK

The official Aegis open supply app code requires none of those permissions. App downloads posing as updates is perhaps one other telltale signal that one thing was amiss with 2FA Authenticator.

A review of 2FA Authenticator from one Google Play user.

A evaluation of 2FA Authenticator from one Google Play person.


An e-mail searching for remark from the developer deal with listed within the Google Play itemizing didn’t obtain a direct response. The identical malicious 2FA Authenticator app stays accessible in third-party marketplaces right here, right here, and right here. Google representatives weren’t instantly accessible for remark.


Please enter your comment!
Please enter your name here

Share post:


More like this

Ed Sheeran going through a second copyright lawsuit

Ed Sheeran has discovered himself on the centre...

One thing I Was Fallacious About

I’ve been mistaken quite a bit in my...

Triller secures $310 million funding forward of deliberate This autumn IPO

A lot of the worldwide financial system is...