Did You Install This Malicious Android 2FA Authenticator App?

pcmag.com:

Google got a wake-up call this week regarding Google Play Store security after a malicious Android app remained available to download for 15 days. During that time, over 10,000 people installed the app thinking it was a legitimate two-factor authentication solution.

As ZDNet reports, cyber security company Pradeo discovered the malicious app, which is called 2FA Authenticator. The Google Play Store page for the app (which thankfully is no longer available) described it as "a secure authenticator for your online services, while also including some features missing in existing authenticator apps, like proper encryption and backups." However, that was just a front for the app's real goal: stealing your financial information.

There's a legitimate app called Aegis Authenticator, which offers to manage your two-step verification tokens. It's free and open source, so the developers of 2FA Authenticator decided to take full advantage. They copied the open source code used for Aegis and injected malicious code into it. The end result is an app capable of passing Google's Play Store security checks, but which could turn malicious once installed on a user's Android phone or tablet.

Upon installation, the app requests "critical permissions" for a device which allows it to then perform a number of tasks including disabling keylock and password security, download third-party apps and updates, continue to work in the background even after the user exits the app, and the ability to place an overlay on other app interfaces. That's as well as having access to a user's data.

If 2FA Authenticator finds a device meets several conditions, a Remote Access Trojan (RAT) called Vultur is downloaded and installed without the knowledge of the user.