When a seemingly harmless 2FA app hides a virus

Two-factor authentication (2FA) is designed to guard customers by providing a further line of protection in opposition to attackers. However what occurs when the 2FA apps themselves are malicious? That is simply what we’re trying into in a new report from mobile security company Pradeowhich analyzes a compromised 2FA app that was downloaded greater than 10,000 instances earlier than Google took it offline in mid-January.

The app reviewed by Praedo is known as 2FA Authenticator. Though constructed round a legit open supply 2FA framework, a hidden payload contained a package deal of malware known as Vultur, a distant entry Trojan (RAT). The faux authenticator has taken a multi-pronged strategy to information theft.

First, it gathered an inventory of put in apps and placement information (in order that cybercriminals can goal country-specific customers). Beneath the pretext of putting in “updates”, the malware disabled the system’s safety checks, working in stealth even after the sufferer thought the app had been closed.

When it was prepared, the app launched Vultur, which might give attention to banking apps. That is when a gradual drain on a sufferer’s funds may start. The RATs themselves – and even these particularly concentrating on banking info – are something however new threats, however one of many extra insidious options of that is simply how nicely hidden it was.

The app externally labored simply as an affordable consumer may count on, however, 2FA Authenticator was a wolf in sheep’s clothes, because the malicious software program was basically hidden inside a shell of open supply code from the completely legit Aegis Authenticator 2FA app (which by the best way it is our favorite selection for 2FA authentication on Android).