top of page
  • Writer's pictureORNA

Users Struck by Banking Trojan Masquerading as 2FA App

Whenever we download a Two-Factor Authentication (2FA) app or any kind of app from the Apple or Google Play Store, I can’t imagine too many people giving too much thought to the legitimacy of the app.

I mean, I go on downloading rampages, though I won’t download anything below a 4.0 rating. In my moments of naivety, it makes me feel better. But it’s unhygienic as it relates to security. I’m changing my ways today.

Downloading apps from trusted sources is not a guarantee that it’s safe, though it is certainly safer than downloading an app from some website on the internet. You’d have to be pretty desperate and willing to sacrifice the device and whatever content that’s on it in the worst-case scenario that it contains malware.

Unfortunately, for many users who love to play those weird games that promise them big payouts, app scams do exist. But what happens when scams aren’t so obvious but offer their users legitimate services as advertised?

Let’s go there for a moment because this happened.

A Fake App Gateway to Your Phone

Recently, researchers at Pradeo Mobile Solutions discovered an app available on the Google Play Store called 2FA Authenticator, which wasn’t anything as it appeared, but in fact, was masquerading as a trojan dropper. Nevertheless, it offered an actual service, at first glance it appeared to be as it was advertised.

Basically, a dropper can allow a threat actor, who has released malware into the wild, to have the ability to install a malicious backdoor or other forms of malware onto infected devices. Interestingly enough, droppers can exist as elegantly constructed containers for malicious code, making them hard to detect.

Pradeo said that the fictitious 2FA Authenticator first appeared available for download on Jan. 26, and informed Google that the app was malicious. More than two weeks later, Google removed the file from the Google Play Store. But during the lengthy delay, the app was installed by around 10,000 users. Why such a long delay in Google’s Incident Response has not been formerly ascertained.

Last year, ThreatFabric, a mobile threat detection, and intelligence firm, discovered what they described as an advanced piece of malware that targets the Android platform. The malicious code itself is known as Vultur.

Part of its utility is the ability to utilize the actual implementation of the VNC’s screen-sharing application. This gives the attackers the ability to duplicate or mirror the screens of infected devices, where they can watch real-time login information, as well as intercept other sensitive data, including over 100 various banking and cryptocurrency apps.

To camouflage the ruse, the developers behind the malware uploaded a genuine sample of the open-source Aegis authentication application to the GitHub repository. After further analysis, researchers from the firm discovered that the app was in fact programmed to provide users with the authentication service, as it was advertised.

Additionally, the fake app assembles a list of apps the user had installed on the device and retrieves the geographic location of the infected devices. Other features include the ability to disable the Android lock screen, install apps from untrusted sources under the guise of “updates” and even obfuscate the user’s interface with overlays, to confuse the user.

Under the right conditions, the 2FA Authenticator was designed to secretly install the Vultur trojan. After detecting the user’s financial apps, the trojan would then begin to record the screen, allowing the attackers to seamlessly capture the credentials.

Red Flags

Experienced users familiar with the Android platform, and its everyday operations would have detected several red flags, indicating that the app was malicious, due to the unusually large scope of permissions the app requested.

The following is an example of unnecessarily broad permission, which would have alerted an experienced Android user that the app could not be trusted:

  • android.permission.QUERY_ALL_PACKAGES

  • android.permission.SYSTEM_ALERT_WINDOW

  • android.permission.REQUEST_INSTALL_PACKAGES

  • android.permission.INTERNET

  • android.permission.FOREGROUND_SERVICE

  • android.permission.RECEIVE_BOOT_COMPLETED

  • android.permission.DISABLE_KEYGUARD

  • android.permission.WAKE_LOCK

These permissions weren’t included in the source code sample, which should have raised eyebrows. Additionally, once Android users began to experience a variety of app updates out of the ordinary, this should have also raised some warning bells.

Signs Your Phone Got Pwnt

It goes without saying that users should promptly delete this app from their Android devices. Just because the app has been removed from the Google Play Store doesn’t mean the app has been disabled in any way.

If you want my opinion, Android devices aren’t very secure platforms. This is due, in part, to the way their permissions are set up, in addition to the fact they don’t come with preinstalled antivirus protection. This is coming from someone who formerly used to think iPhones were dumb, overly expensive devices I didn’t understand.

The other side to that argument is the fact iOS devices don’t come with antivirus protection either. However, iOS devices ostensibly don’t need antivirus protection, simply because their platform is designed with security at its very foundation. Part of the integrity of the iOS platform largely lies in the way its permissions are established, which will deny permissions to suspicious apps.

Suspicious apps will always request odd permissions that largely have nothing to do with their functionality. Some years ago, I downloaded a simple calendar app on my Android phone. To use it, it requested access to my microphone, camera, contacts, and pretty much everything else that had nothing to do with using a simple calendar.

Initially, I wasn’t aware that the app was malicious. My phone was acting funny, so I downloaded Avast Antivirus and a firewall app so I could monitor and analyze all the incoming and outgoing connections happening on my phone. Setting up the port permissions for that was a headache, and in the end, I was exasperated and just opted to wipe my phone and start over.

The following is a short list of red flags you might experience on your Android device that could indicate that your device has become infected with the malware:

  • If your Android is overheating. However, there is a regular occurrence when overheating can be considered normal, such as when watching videos for a long time, or video streaming for a long time, with the brightness display on high.

  • Your battery life tends to drain unusually fast.

  • You experience frequent pop-ups.

  • The device is running painfully slow. Getting a CPU usage display, like a widget, can help you determine how much CPU is being consumed by apps.

  • If you discover apps you know you didn’t download, that’s a pretty strong indication your device has been compromised. However, after a factory reset, it’s normal for Android to automatically download bloatware, such as games.

  • Your data usage is more than you know you’ve consumed.

An article by

Jesse McGraw

Edited by

Anne Caminer




Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page