"2FA App Loaded with Banking Trojan Infests 10K Victims via Google Play"

The Vultur Trojan steals bank credentials and tries to gain more permissions to do additional damage. A malicious two-factor authentication (2FA) app has been removed from Google Play after being available for over two weeks. While it was available, it was downloaded more than 10,000 times. The app, which has the functionality of a legitimate 2FA, contained the Vultur malware that targets and steals financial data. Researchers at Pradeo advise those who have downloaded the malicious app called "2FA Authenticator," to immediately delete it from their device as they are still at risk from banking-login theft and other attacks made possible by the app's overpermissions. It was developed using open-source Aegis authentication code injected with malicious add-ons, which helped it spread via Google Play undetected. When the app is downloaded, it installs the Vultur banking Trojan, which was also found to use keylogging and screen recording as its primary tactic for banking-data theft, allowing those behind it to automate the process of harvesting credentials. The threat actors chose not to use the common HTML overlay strategy usually seen in other Android banking Trojans that normally requires more time and effort to steal information from the user. They instead chose to record what is shown on the screen to achieve the same end result. The scam 2FA Authenticator app also asks for device permissions beyond what was disclosed in the Google Play profile, which allows the attackers to perform different activities such as accessing user location data, disabling the device lock, downloading third-party apps, and more. This article continues to discuss the findings surrounding the malicious 2FA Authenticator app. 

Threatpost reports "2FA App Loaded with Banking Trojan Infests 10K Victims via Google Play"