stats count
Wednesday, July 6, 2022
Home Technology 2FA application with 10,000 Google Play downloads loaded known bank trojan

2FA application with 10,000 Google Play downloads loaded known bank trojan


Getty Images

A fake two-factor verification application downloaded about 10,000 times from Google Play secretly installed a well-known bank fraud trojan that searched for infected phones for financial data and other personal information, security firm Pradeo said.

2FA Authenticator went live on Google Play two weeks ago, as an alternative to legitimate 2FA applications from Google, Twilio, and other reputable companies. In fact, researchers at security firm Pradeo Said Thursday, the application steals personal data from user devices and uses it to determine if infected phones should download and install a banking trojan that is already known to have infected thousands of phones in the past.

The vultures circle

Discovered last year by security firm ThreatFabric, Vultur is an advanced piece of Android malware. One of its many innovations is the use of an actual implementation of the VNC screen sharing application to reflect screens of infected devices so that attackers can pick up the credentials and other sensitive data from banking and finance applications in real time.

To make 2FA Authenticator look real, its developers have started this legal monster from the open source Aegis authentication application. An analysis of the malware shows that it was actually programmed to provide the verification service it advertised.

Behind the scenes, however, stage one of the 2FA Authenticator has compiled a list of applications installed on the device along with the device’s geographical location. The app will also disable the Android lock screen, download third-party applications pretending to be “updates” and override other mobile application interfaces to confuse users.

In case infected phones were in the right places and installed the right applications, phase two of 2FA will install Authenticator Vultur, which is eventually programmed to record Android device screens when any of 103 banking, financial or cryptocurrency applications come to the fore.

Pradeo said that 2FA Authenticator was launched on January 12, that company researchers notified Google on January 26 that the application was malicious, and that Google removed it about 12 hours later. Over the two weeks that it was available in Play, the application was installed by about 10,000 users. It’s not clear if Google notified any of them that the security program they thought they were getting was in fact a bank fraud trojan.

In retrospect, there were red flags that experienced Android users could see that 2FA Authenticator was malicious. The most important among them was the extraordinary number and breadth of system permits it required. They included:

  • android.permission.QUERY_ALL_PACKAGES
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.REQUEST_INSTALL_PACKAGES
  • android.permission.INTERNET
  • android.permission.FOREGROUND_SERVICE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.DISABLE_KEYGUARD
  • android.permission.WAKE_LOCK

The official Aegis open source application code does not require any of these permissions. Application downloads that appear as updates may be another sign that something is missing with 2FA Authenticator.

A 2FA Authenticator review by one Google Play user.

A 2FA Authenticator review by one Google Play user.

Pradeo

An email seeking comment from the developer address listed in the Google Play listing entry did not receive an immediate response. The same malicious 2FA Authenticator application remains available in third-party marketplaces here, here, en here. Google Representatives were not immediately available for comment.



Source link

RELATED ARTICLES

Man Utd’s transfer stance on Paulo Dybala revealed

Manchester United have not held any talks with Paulo Dybala's representatives over a free transfer, Manchester Evening News reports. The Argentine is currently a...

Golf Business News – Fans Attending The 150th Open At St Andrews Urged Not To Travel By Rail

Fans attending The 150th Open at St Andrews from 10-17 July are being urged not to travel by rail due to a limited...

Sarah Logan & Lita Surprise Liv Morgan On WWE’s The Bump

The new SmackDown Women's Champion Liv Morgan is LIVing her best life in her first week as champion and she joins this week's...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Man Utd’s transfer stance on Paulo Dybala revealed

Manchester United have not held any talks with Paulo Dybala's representatives over a free transfer, Manchester Evening News reports. The Argentine is currently a...

Golf Business News – Fans Attending The 150th Open At St Andrews Urged Not To Travel By Rail

Fans attending The 150th Open at St Andrews from 10-17 July are being urged not to travel by rail due to a limited...

Sarah Logan & Lita Surprise Liv Morgan On WWE’s The Bump

The new SmackDown Women's Champion Liv Morgan is LIVing her best life in her first week as champion and she joins this week's...

The MMA Hour with Pedro Munhoz, Bryan Barberena, Rafael Fiziev, Ian Garry, and Jalin Turner

The Mixed Martial Arts Hour is back in your life! Below is a rundown of Wednesday's show, which begins at...

Recent Comments