Malicious 2FA App Found on Google Play

Cybersecurity researchers have helped delist a fake two-factor authentication (2FA) app from the Google Play store, which concealed a well-known banking credential-stealing malware.

The app, named 2FA Authenticator, was discovered by security sleuths at security firm, Pradeo. It disguised itself as a legitimate 2FA app and used the cover to push the relatively new but extremely dangerous Vultur malware designed to steal banking credentials.

In their report, researchers note the fully functional 2FA authenticator app was removed from Google Play on January 27, after remaining available on the store for over two weeks, where it saw over 10,000 downloads.

According to the researchers, the threat actors developed the app using the genuine, open-source Aegis authentication application before infusing malicious functionality into it. 

Pradeo claims the fake app's elaborate deception allowed it to successfully disguise itself as an authentication tool and pass casual user scrutiny. What spooked the researchers, however, was the app's elaborate requests for permissions, including camera and biometric access, system alerts, package querying, and the ability to disable the keylock.

These permissions are far greater than those required by the original Aegis application, and they weren't disclosed in the app's Google Play profile. They also leave users at risk from financial data theft and other follow-up attacks, even if the downloader didn't use the app.

While the fake 2FA app has been removed from the Play Store, Pradeo warns users who have installed the app to manually remove it immediately.