Android security app installed by thousands ends up being malware
Hot on the heels of yesterday’s story about nearly 500 Android apps in Google Play that were fleecing tens of millions of people out of their hard-earned money, there is — or was — another Android app in Google Play that tried to clean out its victims’ online bank accounts.
The app was discovered by French mobile-security firm Pradeo and is called 2FA Authenticator. As its name implies, it disguises itself as a two-factor-authentication (2FA) code generator and is fully functional in that regard, as the code-generating bit of many authenticator apps is openly available and free to use.
Nevertheless, this app does nothing to improve your security. Rather, during installation it asks the user for permissions that are not stated in its Google Play profile, including the permission to install “updates” from the internet instead of receiving updates through Google Play.
Reaching out and touching you with malware
If you grant it that permission, then 2FA Authenticator reaches out to the internet and infects your phone with the Vultur banking Trojan, a particularly nasty piece of work that we first wrote about last July.
Vultur records everything that happens on your screen to capture what you type in, such as usernames and email addresses. It includes a keylogger to capture what’s not visible when you type, such as passwords. It will send that information to its controllers, who can then use your login details to hijack your online bank accounts.
2FA Authenticator was available in the Google Play app store for at least 15 days and had been installed on at least 10,000 devices before it was removed yesterday (Jan. 27) after Pradeo informed Google of its presence.
Odds are that 2FA Authenticator is still available on “off-road” Android app stores, so be extremely wary if you get apps that way — the app’s unique Android package name is “com.privacy.account.safetyapp”.
How to get rid of 2FA Authenticator
Google can reach out and delete known malicious apps from users’ phones if the apps were installed using Google Play, but it rarely does so. If you think you may have 2FA Authenticator or another known malicious app installed on your own phone, you’ll probably need to get rid of it…