March 22, 2023

A harmful 2FA authenticator app that downloaded over 10,000 times has been removed from the Google Play Store whish been trojanized.

The software claimed to be provided with a secure authenticator for your online services, while also including some features missing in existing authenticator apps, like proper encryption and backups. Also, the app claimed to support HOTP and TOTP, and was marketed to import other authenticator protocols including Authy, Google Authenticator, Microsoft Authenticator, and Steam and host them in one place.

Advertisements

However, researchers say the app was less about protecting your data and more about stealing it. Once installed, the app would act as a dropper for malware designed to steal financial information. The developers used the open-source code of the official Aegis authentication application to which they injected malicious code. As a result, the application is successfully disguised as an authentication tool which ensures it maintains a low profile.

In the earlier stage of the attack, 2FA Authenticator requests a range of permissions from the handset owner including camera and biometric access, the ability to tamper with system alerts, package querying, and the ability to disable keylock.

The permissions allow the malware to perform actions including collecting localized data for targeted attacks, disabling key lock and password security, downloading external apps, and creating overlay windows over other mobile application windows. Once these permissions have been granted, the dropper then installs Vultur.

Advertisements

Vulture is a RAT that uses screen recording and keylogging to capture bank account and financial service credentials rather than traditional overlay functions a slower method, but potentially one that is less likely to be detected. Banking institutions as well as cryptocurrency wallet platforms are the prime target. The dropper used to execute the RAT is a framework called Brunhilda, previously linked to Android malware distribution through fake utility and 2FA apps on Google Play.

This malicious app was removed after being available on the Google Play Store for 15 days. Users of the app are advised to delete the software from their handsets.

Tags:

Leave a Reply

Related Post

Google blocks Pinduoduo App amid Security Concerns

Google blocks Pinduoduo App amid Security Concerns

March 22, 2023
Mandiant Report – Nation State Zero Day Exploits in 2022

Mandiant Report – Nation State Zero Day Exploits in 2022

March 22, 2023

You may have missed

Google blocks Pinduoduo App amid Security Concerns

Google blocks Pinduoduo App amid Security Concerns

March 22, 2023
Mandiant Report – Nation State Zero Day Exploits in 2022

Mandiant Report – Nation State Zero Day Exploits in 2022

March 22, 2023
Mispadu Banking Trojan

Mispadu Banking Trojan

March 22, 2023
DotRunpeX – Malware Injector Spreads in Wild

DotRunpeX – Malware Injector Spreads in Wild

March 21, 2023
Killnet Targets Healthcare Azure Resources

Killnet Targets Healthcare Azure Resources

March 21, 2023
NBA suffers a Data Breach – Third Party Provider Data Stolen

NBA suffers a Data Breach – Third Party Provider Data Stolen

March 21, 2023
%d bloggers like this: