Banking Trojan in Google Play App Store—‘2FA Authenticator’ drops Vultur RAT
An Android app has been found to drop the Vultur banking Trojan. This “dangerous” and “advanced” banking malware steals victims’ financial credentials.
But this isn’t the usual problem of third-party Android app stores. The app, 2FA Authenticator, was in the Google Play store. How did that happen?
Another day, another Android Trojan. In today’s SB Blogwatch, we can do déjà vu.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Walkies Day.
10K+ Downloads in 14+ Days
What’s the beat? Becky Bracken broadcasts bulletins—“2FA App Loaded with Banking Trojan Infests 10K Victims via Google Play”:
“Harvesting credentials at scale”
For more than two weeks, a malicious two-factor authentication (2FA) application … was downloaded more than 10,000 times. … The app, which is fully functional as a 2FA authenticator, comes loaded with the Vultur stealer malware that targets and swoops down on financial data.
…
The threat actors developed an operational and convincing application to disguise the malware dropper, using open-source Aegis authentication code injected with malicious add-ons. … The Vultur remote access Trojan (RAT) malware [uses] keylogging and screen recording as its primary tactic for banking-data theft, enabling the group to automate the process of harvesting credentials at scale.
And Dan Goodin adds in—“2FA Authenticator offered real 2FA functionality, but it came with strings attached”:
“Extraordinary number and breadth of system permissions”
Posing as an alternative to legitimate 2FA apps from Google, Twilio, and other trusted companies [it] collected a list of apps installed on the device along with the device’s geographic location. The app would also disable the Android lock screen, download third-party apps with the pretense they were “updates,” and overlay other mobile app interfaces to confuse users.
…
In retrospect, there were red flags that experienced Android users could have spotted that 2FA Authenticator was malicious. Chief among them were the extraordinary number and breadth of system permissions it required. … The same malicious 2FA Authenticator app remains available in third-party marketplaces.
…
An email seeking comment from the developer address listed in the Google Play listing didn’t receive an immediate response. … Google representatives weren’t immediately available for comment.
Horse’s mouth? Pradeo’s Roxane Suau is … well … fed up with red light jokes—“Malicious app on Google Play drops banking malware”:
Users of this app are advised to delete it immediately; we have alerted the Google Play team. … The application has finally been removed from Google Play on January 27th, after staying available on the store for 15 days.
This isn’t the usual story of third-party app stores. This app was on Google Play. Saris is dumbfounded:
You would think if Google’s malware scanning was doing anything useful it would have flagged this purely because of the wide permissions it requests.
As is cervier:
How did it get approved to be on the Google Play store? The list of permissions it asked is a HUGE red flag.
But not so fast. Meet UncleMeat: [You’re fired—Ed.]
“Virtually zero consumers choose apps based on permissions”
If “requests a lot of permissions” was sufficient to get apps taken off the Play store then we’d see way more “Help, Google took down my app and I’m mad” posts. … RECEIVE_BOOT_COMPLETED is really the only thing suspicious in that list since this is used for a few more old school malicious behaviors.
…
The permission model is messy but made much worse by the volume of SDK code that is actually in most apps today. … If you build in the SDK then you are collecting their permissions even if you aren’t using the code that needs it. And given that virtually zero consumers choose apps based on permissions, there is little incentive to pare down the list to the minimum needed.
Wouldn’t it be better if Google’s Play Store was a walled garden—like the Apple App Store? Tridus says that would be begging the question:
“Poorly enforced”
The Play Store is a walled garden. It’s just one where the front door is left wide open for whatever people feel like putting up.
…
The idea that walled gardens are safer only works if the wall is actually being monitored. Apple happens to be strict about that, but then you get other ridiculous outcomes instead—like Apple deciding you shouldn’t be allowed to have “mature” content in Discord because puritanical American morals get imposed on the rest of us, and you have to just live with it because Apple knows what’s best.
…
The big issue … is they claim to run an app store with strict controls in place to prevent this kind of thing, but they clearly don’t do a good job. … I’d argue a poorly enforced walled garden is worse than a wide open landscape, because it lulls people into a false sense of “Google approved it, so it must be fine.”
And what of the team behind the stolen Aegis code? Here’s alexbakker:
“The state of the Google Play Store”
It sucks to see your open source work being abused like this, and there’s seemingly nothing we can do about it. Every now and then I scour the Play Store to see if I can find any Aegis clones.
We’ve reported a couple that didn’t have a link to the source code and/or were linking proprietary libraries … but they’re still up. Of course, those cases aren’t as bad as this one where actual malware was included, but it’s pretty telling about the state of the Google Play Store.
Meanwhile, Goofball_Jones sounds slightly sarcastic:
At least this is on the Play Store! We are currently suing Apple so we can sideload apps such as these so we too can enjoy the rich goodness!
And Finally:
Norman the plant enjoys his owner’s body for a day
Hat tip: Sheep Films, who says, “I’ve not made a short film in eight years, but lockdown in 2020 finally gave me the kick up the **** I needed. … It still took 15 months to make, but it’s finally finished.”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Pathum Danthanarayana (via Unsplash; leveled and cropped)
