Delete This Authenticator Android App Immediately To Avoid Its Banking Malware Payload
A Two-Factor Authentication (2FA) app that's been making the rounds on Google Play could steal your banking information, say researchers at Pradeo, a mobile security research and product provider based out of France. According to the team, the app was removed from the Google Play store, however, it remained active and available for 15 days, driving 10,000+ confirmed installations. Reportedly, that app also includes a "trojan-dropper" that will install bank information-stealing malware onto the end-users mobile device. It is advised the app be removed immediately by anyone who installed it. The following are the details of the app so that you can remove the app yourself.
- https://play.google.com/store/apps/details?id=com.privacy.account.safetyapp (the app has since been removed)
- 2FA Authenticator
- Version 1.0
The attack worked in two stages. The first stage is to bypass permissions access requests allowing the app access to details on the device. This then allows the app to collect and send user’s app list, and localization information. The permission granted also allowed it to disable almost any security functionality on the device, download apps without permission, perform functions even if the app is closed, and overlay other applications with their own interfaces. The overlay is a pretty tricky way to throw up a false login page or other methods of stealing data. The second part of this malware app is to trigger the installation of the Vultur malware, in order to steal the victim’s banking information.
As stated before, it is advised that anyone who may have installed this app to remove it immediately. The full report from Pradeo is available here.