Google Play Store has once again fallen victim to hosting a malicious app that went undetected for 15 days. The app in question, 2FA Authenticator, managed to deceive over 10,000 users into downloading it, posing as a secure authenticator with robust encryption and backup features. However, the truth behind the facade was that the app contained malicious code designed to steal sensitive financial information.
Discovered by cybersecurity firm Pradeo, the 2FA Authenticator app masqueraded as a legitimate tool with support for HOTP and TOTP, leading users to believe it could import protocols from popular authenticator apps like Google Authenticator and Authy.
Despite passing through Google Play Store’s security checks, the app immediately unleashed its malicious payload once installed on a device, requesting critical permissions such as biometric access, camera usage, system alerts, and more. This allowed the app to collect on-device data, disable keylocks and passwords, install unauthorized apps, and create overlay windows.
Ultimately, the app served as a gateway for the installation of the Vultur Remote Access Trojan (RAT), enabling cybercriminals to record keylogs and gain access to sensitive information entered into banking and cryptocurrency apps, potentially leading to theft of funds.
The perpetrators behind the app executed their plan with precision, targeting users based on location and installed apps. By tricking users into downloading updates, the 2FA Authenticator app bypassed system security checks and continued its malicious activities even when the app was closed.
In conclusion, this malicious app, disguised as a helpful tool, posed a serious threat to users’ financial security. It has since been removed from the Play Store, but if you have it installed on your device, it is crucial to uninstall it immediately and perform a factory reset to ensure your safety.
