Delete This Authenticator Android App Immediately To Avoid Its Banking Malware Payload

vultures news
A Two-Factor Authentication (2FA) app that's been making the rounds on Google Play could steal your banking information, say researchers at Pradeo, a mobile security research and product provider based out of France. According to the team, the app was removed from the Google Play store, however, it remained active and available for 15 days, driving 10,000+ confirmed installations. Reportedly, that app also includes a "trojan-dropper" that will install bank information-stealing malware onto the end-users mobile device. It is advised the app be removed immediately by anyone who installed it. The following are the details of the app so that you can remove the app yourself.
  • Application ID
    • (the app has since been removed)
    • 2FA Authenticator
    • com.privacy.account.safetyapp
    • Version 1.0
The app in question presents itself as a multi-factor authentication utility called “2FA Authenticator” which was identified as a “trojan-dropper” by Pradeo. The app will install malware known as Vultur, which was designed specifically to steal mobile app user banking information. Unfortunately for the 10,000+ users who installed the software before it was pulled from the Google Play Store it actually was a legitimately working multi-factor authentication software. The app utilized open-source code for the Aegis authentication application, which the criminals then injected with the malware to steal people’s banking data.

2FA Authenticator malware scam app
If this app is on your phone, delete it now. It's malware and will steal banking credentials

The attack worked in two stages. The first stage is to bypass permissions access requests allowing the app access to details on the device. This then allows the app to collect and send user’s app list, and localization information. The permission granted also allowed it to disable almost any security functionality on the device, download apps without permission, perform functions even if the app is closed, and overlay other applications with their own interfaces. The overlay is a pretty tricky way to throw up a false login page or other methods of stealing data. The second part of this malware app is to trigger the installation of the Vultur malware, in order to steal the victim’s banking information.

As stated before, it is advised that anyone who may have installed this app to remove it immediately. The full report from Pradeo is available here.