A password security app that is available through the Google Play Store that has been downloaded more than 10,000 times is actually a malware dropper that delivers a banking Trojan.
The malicious app – 2FA Authenticator – was identified by security researchers at Pradeo and was discovered to deliver a banking Trojan called Vultur that targets financial services and steals banking information and other sensitive data.
2FA authenticators are security apps that improve password security by requiring a second factor to be provided to authenticate a user in addition to a password. If that second factor is not provided – a one-time authentication code for example – access to the account will not be granted even if the correct username and password are used. While these apps can improve security, in this case, the app performs other actions – it profiles the user and delivers a banking Trojan.
The 2FA Authenticator app has been developed to appear totally benign and does provide a genuine service. The developers of the app used open-source code for the genuine Aegis authentication app, but also injected their malicious code to allow the 2FA Authenticator app to also serve as a malware dropper.
In order for the malware dropper to work, the app requires additional permissions to be granted, which would not normally need to be provided to a 2FA app. Those permissions include camera, disable_keyguard, foreground_service, Internet, query_all_packages, receive_boot_complete, request_install_packages, use_biometric, use_fingerprint, wake_lock, and system_alert_window. The system_alert_window permission is key as it allows overlays of other mobile applications’ interfaces.
The additional permissions are hidden and were not disclosed in the Google Play profile. When the app is downloaded and permissions are granted, the app is able to execute automatically and will ultimately deliver the Vultur payload; however, during the first stage of the attack, victim profiling occurs.
First, the application list and localization info are sent to the threat actors which allows them to target country-specific applications. This approach helps them to stay under the radar and not alert users that their device has been compromised. Security features are disabled on the device, such as keylocks, and additional applications are then downloaded under the guise of updates. The app is also able to perform activities when it is shut off, thanks to the hidden permissions granted by the user. After profiling, if certain conditions are met, the malware dropper delivers Vultur.
Vultur is a remote access Trojan (RAT) that was first identified in 2021. The malware can take screen recordings and logs keystrokes to obtain login and banking credentials. Vultur was previously detected by ThreatFabric as being delivered via fitness apps and 2FA authenticators via the Google Play Store, and in 2021, the cybersecurity firm reported that the malware did not use overlays like many other mobile banking Trojans. That has now changed.
Google assesses applications and usually blocks malicious apps from its Play Store; however, rogue apps occasionally make it past Google’s checks. It is common for the developers of banking Trojans to hide malware droppers in apps. It therefore pays to read the comments before downloading any app and to pay particular attention to low-star ratings. Bear in mind, as is the case with the 2FA Authenticator app, that malicious apps often perform the advertised functions – They also perform functions that are not advertised.
Pradeo reported the malicious app to Google which has now removed it from its Play Store; however, anyone that has already downloaded the app will be at risk and need to manually uninstall the app from their device.