What supposed to be an app to help Android users feel safer, was ironically a fraud.
The app in question, goes by the name '2FA Authenticator', acts as a two-factor authentication app. But instead of doing what it promises, the app was found to be a trojan dropper hackers use to install malware on victims' devices, in order to steal money from them.
To do this, the app uses a malware called 'Vultur'.
Through the malware, the app targets financial services apps to steal victims' banking information.
Found by researchers at mobile security firm Pradeo, the report said that the app could be found on Google Play Store, and has been installed by more than 10,000 users.
A two-factor authentication app is meant to validate users' identity when they want to sign in to apps/web services that require multi-factor authentication.
In this case, the 2FA Authenticator app disguises itself as a two-factor-authentication code generator, and at the front, it's fully functional.
However, the app does nothing to improve users' security.
Instead, the app asks for intrusive permissions after installation, including the permissions to have full network access to install "updates" from the internet instead of receiving updates through Google Play.
If users of the app grant it the permission, the app can connect to the internet automatically to download Vultur from its servers.
Vultur was first discovered by security researchers at ThreatFabric.
"The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result," wrote ThreatFabric in a blog post at the time.
When installed, the malware can take screenshots, and act as a keylogger to record whatever users type in, including usernames, email addresses and passwords.
Making things worse, this 2FA Authenticator app also asks for permission to take pictures and videos, disable the screen lock, run at startup, draw over other apps, and prevent devices from sleeping. The app can also grant itself more permissions, including the ability to disable the keyboard, permission to access foreground services, permission to query all packages, permission to use biometrics, and use victim's fingerprint.
The malware that has a free pass to connect to its servers, can then send that information to its operators, who can then use the credentials they stole to hijack victims' bank accounts.
Fortunately, the team at Pradeo acted quickly and notified Google about the existence of this malicious app.
Google also responded quickly by removing the app from its Play Store, and removed it on January 27th, 2022, 15 days after lurking in the app store undetected.
According to the researchers, the threat actors developed an operational and convincing app to disguise the malware dropper, using open-source Aegis authentication code injected with malicious add-ons.
This attempt helped the app to spread through Google Play Store undetected.
"As a result, the application is successfully disguised as an authentication tool, which ensures it maintains a low profile," the report added.
Because Google in removing the 2FA Authenticator app doesn't remove the app from users' phones, Pradeo suggests Android users to see whether or not they have this app installed.
it's worth noting that despite the app has been removed from Google Play Store, chances are, the app can still be found on third-party app stores.