Google Play Store removes nightmare-sounding fake 2FA app full of banking malware

Two-factor authentication (2FA) is designed to keep users safe byoffering an extra line of defense against attackers. But what happens when 2FA apps themselves are the ones being malicious? That’s just what we’re looking at in a new report from the mobile security firm Pradeo, analyzing a compromised 2FA app that was downloaded more than 10,000 times before Google pulled it offline in mid-January.

The appPraedo looked atis called 2FA Authenticator. While built around a legitimate open-source 2FA framework, a hidden payload contained a malware package known asVultur, a Remote Access Trojan (RAT).

4

The fake authenticator took a multi-pronged approach to stealing data. First, it gathered a list of installed apps and location data (so cybercriminals could target specific users by country). Under the guise of installing “updates,” the malware disabled system security checks, working covertly even after the victim thought the app was shut down. When ready, the app let loose Vultur, which would zero in on banking apps. That’s when a slow drain on a victim’s finances could begin.

RATs themselves — and even specificallythose that target banking info— are far from new threats, but one of the most insidious features of this one is just how well-concealed it was. The app outwardly functioned just as a reasonable user might expect it to — but 2FA Authenticator was a wolf in sheep’s clothing, as the dangerous software was essentially hidden inside a shell of open-source code from the totally legitAegis Authenticator2FA app.

google-2fa-header

With all this brought to its attention, Google obviously pulled 2FA Authenticator from the Play Store —you can see the old listing via this archived link— and anyone unlucky enough to have it already should delete it from their phone immediately (if not consider a full wipe).

The note-taking app I should have used all along

Browsers

Broader branding hints at wider paid-tier ambitions

Some scary urban digital legends

Samsung Notes logo in front of image containing S Pen and devices using Samsung Notes

It’s been an interesting journey

Get 14 ports for $170

Google Home icon with some gadgets around it.

Samsung’s making a bold move