Google Play Store removes nightmare-sounding fake 2FA app full of banking malware

The bogus application collected user info to steal login credentials

Two-factor authentication (2FA) is designed to keep users safe by offering an extra line of defense against attackers. But what happens when 2FA apps themselves are the ones being malicious? That's just what we're looking at in a new report from the mobile security firm Pradeo, analyzing a compromised 2FA app that was downloaded more than 10,000 times before Google pulled it offline in mid-January.

The app Praedo looked at is called 2FA Authenticator. While built around a legitimate open-source 2FA framework, a hidden payload contained a malware package known as Vultur, a Remote Access Trojan (RAT).

The fake authenticator took a multi-pronged approach to stealing data. First, it gathered a list of installed apps and location data (so cybercriminals could target specific users by country). Under the guise of installing "updates," the malware disabled system security checks, working covertly even after the victim thought the app was shut down. When ready, the app let loose Vultur, which would zero in on banking apps. That's when a slow drain on a victim's finances could begin.

RATs themselves — and even specifically those that target banking info — are far from new threats, but one of the most insidious features of this one is just how well-concealed it was. The app outwardly functioned just as a reasonable user might expect it to — but 2FA Authenticator was a wolf in sheep's clothing, as the dangerous software was essentially hidden inside a shell of open-source code from the totally legit Aegis Authenticator 2FA app.

With all this brought to its attention, Google obviously pulled 2FA Authenticator from the Play Store — you can see the old listing via this archived link — and anyone unlucky enough to have it already should delete it from their phone immediately (if not consider a full wipe).

About The Author