Register now for better personalized quote!

Google Play app dropped Vultur banking Trojan on Android handsets

Jan, 28, 2022 Hi-network.com

A Trojanized 2FA authenticator app has been removed from the Google Play Store. 

Recommends

The best mobile VPNs

Here's how to find an effective Virtual Private Network service for both iOS-powered iPhones and Android smartphones.

Read now

The app, 2FA Authenticator, was discovered by the Pradeo security team. 

According to a cached version of the app's page on Google Play, the developer said the software provided a "secure authenticator for your online services, while also including some features missing in existing authenticator apps, like proper encryption and backups."

Update 8.57GMT, 5/2: The malicious app, 2FA Authenticator, is not the same and should not be confused with 2FA Authenticator (2FAS), which is available on Google Play. 

In addition, the app claimed to support HOTP and TOTP and was marketed as a way to import other authenticator protocols -- including Authy, Google Authenticator, Microsoft Authenticator, and Steam -- and host them in one place. 

Pradeo

The app was downloaded and installed over 10,000 times during its time on Google Play. 

However, the app was less about protecting your data and more about stealing it. According to Pradeo, the app would act as a dropper for malware designed to steal financial information upon installation. 

"It has been developed to look legitimate and provide a real service," the researchers say. "To do so, its developers used the open-source code of the official Aegis authentication application to which they injected malicious code. As a result, the application is successfully disguised as an authentication tool which ensures it maintains a low profile."

In the first stage of the attack, 2FA Authenticator requests a range of permissions from the handset owner, including camera and biometric access, the ability to tamper with system alerts, package querying, and the ability to disable keylock. 

The permissions allow the malware to perform actions including collecting localized data for targeted attacks, disabling keylock and password security, downloading external apps, and creating overlay windows over other mobile application windows. 

Once these permissions have been granted, the dropper then installs Vultur. 

According to Threat Fabric, Vulture is a Remote Access Trojan (RAT) that is a relatively new entrant to the malware landscape. Vultur uses screen recording and keylogging to capture bank account and financial service credentials rather than traditional overlay functions -- a slower method, but potentially one that is less likely to be detected. 

ZDNet Recommends: Google Pixel 6 Pro -- Best Android Phone

$899 at Google

Vultur tends to target European banking institutions as well as a range of cryptocurrency wallet platforms. The dropper used to execute the RAT is a framework called Brunhilda, previously linked to Android malware distribution through fake utility and 2FA apps on Google Play. 

In an update, the Pradeo team said the malicious app was removed after being available on the Google Play Store for 15 days. If you try to access the 2FA Authenticator page, you are met with an error display. 

Users of the app are advised to delete the software from their handsets.

ZDNet has reached out to Google, and we will update when we hear back.

See also

  • New banking Trojan SharkBot makes waves across Europe, US
  • Over 300,000 Android users have downloaded these banking trojan malware apps, say security researchers
  • This cruel Android malware wipes phones after stealing money

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Our process Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.