A security app available on the Google Play store was actually a dangerous trojan that could infect users devices and harvest their details, a security firm has discovered.
The app, 2FA Authenticator, pitched itself as a way to centralize similar tools, such as Google Authenticator and Microsoft Authenticator in one place. It is believed that the app was available on the Google Play store for two weeks, and was downloaded over 10,000 times.
Malicious apps may look innocent on the surface, but as has been shown time and again, even being hosted on a reputable platform such as Google Play doesn't mean that they're legitimate.
What is the 2FA Authenticator App?
Two factor authentication (2FA) is actually a great way for users to prove they are who they claim to be when logging into a site or service, usually verifying their identity through a separate device, such as a smart phone. It's a fairly secure security method, as in a scenario where someone is able to get hold of your log-in details, they're powerless without that extra device.
The 2FA Authenticator app on the Google Play store claimed to be able to import other authenticator apps, including Google and Microsoft's solutions, and host them in once place.
However, research from Pradeo showed that instead of protecting your details, it was actually severely compromising them, dropping a trojan onto the user's device that would allow malware, named Vultur, to be installed.
Although Pradeo alerted Google Play when it discovered the malicious app, we know that the app was live on the service for 15 days, and was downloaded over 10,000 times. Obviously it goes without saying that if you are one of those who downloaded the 2FA Authenticator app, delete it now.
What Does the App Do?
Before installing the malware on the user's device, the app first runs through some permissions, including accessing the users camera, disabling screen lock and prevent the device from sleeping among others. Doing so gives the app a lot more free reign than a user would like, and it means that the app is able to perform activities even when closed, download third party applications, and disable password security.
Once it has done this, it begins the second stage of the attack – installing the malware itself, in the shape of Vultur. Vultur is a relatively young malware, surfacing less than a year ago, but it shouldn't be underestimated. Once installed, it can screen record and key log any data on the user's phone, meaning that sensitive information can be sent directly to the threat actor. The malware specifically targets banking apps, as well as social media and cryptocurrency apps.
How Can I Protect Myself from Malicious Apps?
In the case of 2FA Authenticator, the malicious app was caught relatively early on thanks to those suspicious permissions, and removed from the Play store by Google.
As always, only download apps from legitimate sources, and always check the reviews – with 2FA Authenticator, the user reviews showed plenty of one star ratings with warnings. For authenticator apps, try and used the one that is recommended by the service you're using, or your workplace.
Never click on unsolicited links for apps, they could lead anywhere – always make sure to head straight to the official store for your platform and download from there.
Check those permissions too. If an app is asking for a lot of access to your device, question why, and ditch it.
A good anti-virus program can help identify malware and other nasties, isolating and removing them from your device before they can do any damage.