A harmful 2FA authenticator app that downloaded over 10,000 times has been removed from the Google Play Store whish been trojanized.
The software claimed to be provided with a secure authenticator for your online services, while also including some features missing in existing authenticator apps, like proper encryption and backups. Also, the app claimed to support HOTP and TOTP, and was marketed to import other authenticator protocols including Authy, Google Authenticator, Microsoft Authenticator, and Steam and host them in one place.
However, researchers say the app was less about protecting your data and more about stealing it. Once installed, the app would act as a dropper for malware designed to steal financial information. The developers used the open-source code of the official Aegis authentication application to which they injected malicious code. As a result, the application is successfully disguised as an authentication tool which ensures it maintains a low profile.
In the earlier stage of the attack, 2FA Authenticator requests a range of permissions from the handset owner including camera and biometric access, the ability to tamper with system alerts, package querying, and the ability to disable keylock.
The permissions allow the malware to perform actions including collecting localized data for targeted attacks, disabling key lock and password security, downloading external apps, and creating overlay windows over other mobile application windows. Once these permissions have been granted, the dropper then installs Vultur.
Vulture is a RAT that uses screen recording and keylogging to capture bank account and financial service credentials rather than traditional overlay functions a slower method, but potentially one that is less likely to be detected. Banking institutions as well as cryptocurrency wallet platforms are the prime target. The dropper used to execute the RAT is a framework called Brunhilda, previously linked to Android malware distribution through fake utility and 2FA apps on Google Play.
This malicious app was removed after being available on the Google Play Store for 15 days. Users of the app are advised to delete the software from their handsets.