The Vultur trojan obtains bank credentials but then requests authorization to inflict even more damage later.
A fraudulent two-factor authentication (2FA) software has been deleted from Google Play after being available for more than two weeks — but not before it was downloaded more than 10,000 times. The Vultur stealer malware, which targets and swoops down on financial information, is put into the app, which is completely functioning as a 2FA authenticator.
Researchers at Pradeo warn users who have the malicious app, just named "2FA Authenticator," to delete it straight away since they are still at risk — both from banking-login theft and other assaults made possible by the app's broad over permissions.
Using open-source Aegis authentication code combined with malicious add-ons, the threat actors constructed an operable and convincing app to mask the malware dropper. According to a Pradeo analysis issued, this enabled it to proliferate unnoticed via Google Play.
“As a result, the application is successfully disguised as an authentication tool, which ensures it maintains a low profile,” the report added.
The Vultur banking trojan is installed once the software is downloaded, and it harvests financial and banking data from the affected smartphone, among other things.
The Vultur remote access trojan (RAT) malware, initially discovered by ThreatFabric investigators in March, was the first of its type to employ keylogging and screen recording as its main approach for stealing banking data, allowing the organisation to systematize and expand the process of stealing credentials.
“The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking trojans: this approach usually requires more time and effort from the actors to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result,” ThreatFabric said at the time.
According to the Pradeo team, the fake 2FA authenticator also requests device rights that aren't shown in the Google Play profile.
The attackers can use those tricksy, enhanced privileges to do things like access user location data so attacks can be aimed at specific regions, disable device lock and password security, download third-party apps, and take control of the device even if the app is shut down, according to the report.
Once the device is fully hacked, the app installs Vultur, “an advanced and relatively new kind of malware that mostly targets online banking interface to steal users’ credentials and other critical financial information,” the report said.
Pradeo discovered another sneaky tactic used by the malicious 2FA by acquiring the SYSTEM ALERT WINDOW permission, which allows the application to modify the interfaces of other mobile apps.
"Very few apps should use this permission; these windows are intended for system-level interaction with the OS," Google stated.
Despite the fact that the researchers reported their disclosure to Google Play, the malicious 2FA Authenticator app loaded with the banking malware remained accessible for 15 days, according to the Pradeo team.