MFA Android App Pulled Down After Infecting 10K Devices With Malware
A multi-factor authentication app containing an Android banking Trojan has recently been taken down from the Google Play Android store. However, according to security researchers, the app has been downloaded about 10 thousand times before the takedown.
The application did what it said on the tin - it did contain MFA functionality, as would fit its simple name - "2FA Authenticator". However, it also contained the Vultur banking Trojan - an Android stealer that can nab banking login credentials off victims' phones.
Vultur Malware Hidden in Functional MFA App
The issue with the app was covered by a research team with security company Pradeo. According to their report, the hackers distributing Vultur through the app went through the effort of creating a working, legitimate-looking MFA app, just so they have a convincing vehicle to distribute the infostealer Trojan.
According to Pradeo, the reason why the app even managed to make it on the Google Play Store in the first place and survive for two weeks was the use of open-sourced authentication code belonging to the Aegis Authenticator project. The fact that the app did have a working MFA module inside it helped disguise it well and help it stay unnoticed for a while.
Vultur was special because it was the first RAT to move away from the usual HTML overlay used in similar stealers and just record what is happening on the device's screen. The Vultur malware was first spotted in early 2021.
Vultur-Laden App Asks for Additional Privileges
In addition to containing the banking Trojan, the now-removed malicious MFA app also asked for privileges that far exceeded what was disclosed on the store page. Once granted, those permissions would allow the bad actors behind the malware to track the victim's GPS location, download other apps, and even take control of the entire device.
All 10 thousand users who downloaded the malicious app are advised to get rid of it as soon as possible, to minimize risks of data and credential theft.