On the 24th of January, 2022, A French mobile-security firm known as Pradeo came out with a statement regarding a 2FA app that surfaced on the google play store. This app which is disguised as a 2FA authentication app was injected with a malware called the “Vulture stealer malware” that had the ability to steal financial data. Even though this app had fully functional 2FA, It was discovered that the app was actually a “trojandropper” which is a tool used by hackers to “drop” malware onto user’s mobile devices.
Over 10K+ Downloads in only 2 weeks
Sadly, this app was active on the google play store for more than 2 weeks and was hidden from the malware detection systems for the duration of it’s stay. In this time frame, the app was downloaded on at least 10,000 devices before it was removed from the store on January 27th, 2022 after Pradeo informed Google about it. This means that the people using this malware could potentially have had access to all these victims’ bank accounts and stolen their money long before anyone ever found out about their existence.
How does it work?
Once downloaded, this app installs the Vultur banking trojan by masking it as an update for the 2FA app. The Vultur remote access trojan (RAT) works by keylogging and screen recording the compromised device in order to read the inputs given by the user when entering their financial information. This method of data theft allowed the group to automate this process and scale it to a mass level. Another way this app compromises your mobile device is by asking for a flurry of permissions which were not included in the app’s google store profile. Once the app gains all these permissions, it can do so much more than just steal financial data. The app can then access your geo-location and even disable its password security measures.
How did this app trick everyone including Google?
This app used the open sourced Aegis Authenticator code to offer real 2FA services. Because of this, people who downloaded the app kept using it thinking it was harmless while their valuable information was being stolen. As for Google, It’s baffling that the google play store could leave such an app on the play store for so long without raising any alarms. Now while the google play store is supposed to filter out malicious apps and protect it’s users from dangers just like this one, the filtering process only works when the store is being monitored heavily, which is not true about the google play store. Even though the google play store does a good job at stopping general malware infected apps from its garden, an app such as this one that does a good enough job at hiding its true motives can slip through Google’s filtration process. Google should definitely do better, considering how many people use its play store and assume that they are safe while doing so.
So what should I do now
Well, now that the app has been removed from the play store, there are some things to learn from all of this. For one, it’s important for all of us to put less trust in the google play store, and do as much as we can to manually verify any apps we download on our mobile phones. We can do this by using different methods of authenticating ourselves. For one, try to find as much as possible about the developers and teams regarding any app you are trying to download.
sources: https://threatpost.com/2fa-app-banking-trojan-google-play/178077/
https://securityboulevard.com/2022/01/banking-trojan-in-google-play-app-store-2fa-authenticator-drops-vultur-rat/
https://www.tomsguide.com/news/fake-2fa-app-vultur-android-malware
https://www.bollyinside.com/news/this-android-software-should-be-removed-immediately-according-to-a-security-group-before-it-wipes-your-bank-account
The amount of information this blog has is quite appreciable. It is very easy to get scammed by such apps since the amount of trust people, including myself, put in the play store is enormous and we should be careful about it.
Very good job on the blog!
This is a very interesting blog post. I like how you gave a recommendation near the end of your post about what to do. It is interesting how there were so many downloads without the app being flagged or taken down. People should ask around and do their research really before downloading an entire app onto their devices. Hopefully, as scammers and hackers find ways, people find stronger ways to counter these attacks.
yes for sure, I think its everyone’s duty to verify any apps they download from the online stores, and remember not to trust any big tech app stores, because you no one has in-penetrateable security!
It was quite interesting to learn about this hacking method. I think the majority of people (including myself) often put too much trust in big tech to protect us from things like malware and stolen data. It’s especially harder to notice suspicious activity from an app when its job is specifically to “strengthen” your login systems. Very cool blog, thanks for sharing!
I had to look twice when I saw your blog’s headline! I always had strong faith in apple stores and google stores. After reading this article, I really questioned myself should I be downloading apps from my phone? As well as on my laptop, I usually just download files and apps without any hesitations because I always trusted my securities, but after seing this, I should really becareful downloading stuff from unkowns sites, thank you for the information!
yes I definitely agree, be sure to always use the Identify, authenticate, authorize process that we learned in class to verify that all apps you download are safe, and happy web surfing 🙂
This blog was eye-opening as I believed one of the best features of google was their security but it amazes that a hidden malware of this potential was able to sneak through. This shows that even though google is one of the most reputable software giants of this world, they are still not bulletproof.
A good takeaway from the article would be that one just never blindly trust anything online, always add another layer of safety by being cautious themselves.
So in this case, for instance, how would the users have verified the app itself? Would checking the developers have been enough, or are there other strategies that could have been employed by users?
Furthermore, is this an indication of a new type of attack vector in your opinion? It seems like it could be a successful way to infiltrate into someone’s device without them knowing.
Very Interesting post! To think an application that was meant to help secure your accounts, was stealing your information. I hope this event makes google reevaluate their application review process. But I guess to protect yourself from this, you could make sure you understand why an application is asking for permissions before granting it the permission.