A fake two-factor-authentication app that has been downloaded thousands of times from the Play store has installed a banking-fraud trojan that scoured phones for financial data and other personal information.
Two weeks ago, 2FA Authenticator went live on the Play Store, posing as an alternative to legitimate 2FA apps. Researchers from security firm Pradeo said on Thursday that the app takes personal data from user devices and uses it to determine whether a phone should download a banking trojan or not.
The developers of 2FA Authenticator wanted to make it look like it was real. An analysis of the software shows that it was programmed to give the service it advertised.
Stage one of the 2FA Authenticator collected a list of apps installed on the device along with the device's geographic location. Third-party apps would be downloaded with the pretense they were updates, and the lock screen would be disabled.
Stage two of 2FA Authenticator would install Vultur if the phones were in the right places and the right apps were installed.
According to Pradeo, 2FA Authenticator went live on January 12 and was taken down by the internet giant about 12 hours later. The app was installed by about 10,000 people over the course of two weeks. It is not clear if any of them have been notified that the security app they thought they were getting was a banking-fraud trojan.
There were red flags that experienced users could have spotted. The number of system permission it required was extraordinary. They were included.
The official open source app code does not require any of these privileges. Something was amiss with 2FA Authenticator and app downloads posing as updates might be a sign.
An email seeking comment from the developer address listed in the listing didn't get a response. The 2FA Authenticator app is still available in third-party marketplaces. Representatives from the company weren't immediately available for comment.