A fake two-factor authentication app on Android was actually hiding a banking trojan that could steal financial data and other personal information. If you’re one of the 10,000 people who downloaded it, you need to get rid of it right now.
Researchers from Pradeo discovered the app, which was aptly named 2FA Authenticator. It installs a trojan called Vultur, which has been infecting Android phones for over a year.
Roxane Suau from Pradeo said, “Our analysis revealed that the dropper automatically installs a malware called Vultur, which targets financial services to steal users’ banking information.”
Apparently, the app was well-designed to look like a legitimate 2FA tool. According to Pradeo, “It has been developed to look legitimate and provide a real service. To do so, its developers used the open-source code of the official Aegis authentication application to which they injected malicious code.”
The malware works in two stages. First, it profiles the user. It collects and sends the user’s application lists and location data, which allows the attackers to target their actions. During this phase, it will disable the keylock and any associated password security and download other third-party apps disguised as updates.
For stage two, the researchers found that the attack is conditioned to the information the app finds on its users. When some conditions are met, the dropper installs Vultur, the malware that primarily targets online banking interfaces to steal credentials and financial information, which is obviously scary.
This is not a piece of malware to be taken lightly. If you installed this app (which has been removed from Google Play but is still available on some third-party app stores), you need to delete it immediately. If the app starts relaunching itself when you try to close it, restart your phone and delete it.