Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal

Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal

There are almost three and a half million apps in the Play Store, and despite Google’s alleged best efforts, malware still slips through every now and then. One recently removed app was particularly malicious, masquerading as a two-factor code manager. Known simply as 2FA Authenticator, the app picked up more than 10,000 installs until security researchers identified it as a vehicle for trojan-dropper malware.

We (and others) are always recommending two-factor authentication (2FA) as one of the best ways to secure your online accounts. Some services rely on one-time SMS codes, but 2FA apps like Google Authenticator and Authy make it easier to manage multiple 2FA tokens. 2FA Authenticator was actually a functional 2FA app — it used the open source Aegis authentication application as a base, but under that it contained the Vultur malware.

The genius of this malware is that it looked legit. You wanted a 2FA app, well this one did the job. 10,000+ people decided to give 2FA Authenticator a shot over more established names. However, the app would abuse Android permissions to copy your app list, location, and other personal information. Vultur is banking malware, which aims to steal credentials and financial information. It would also attempt to disable the lock screen and download third-party apps by pretending they are app updates. This behavior is suspicious for anyone who’s familiar with how Android works, but that’s not most people.

Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal

Perhaps the most troubling innovation in this piece of malware is an implementation of the VNC screen-sharing application. You can probably see where this is going. When people put their 2FA keys into this app, the attacker could watch in real-time to swipe banking details and two-factor codes.

The app was live for about two weeks, reports Ars Technica, longer than most malware that slips into the Play Store. It’s likely that the app’s functional 2FA capabilities helped it fly under the radar for a period of time. Google has tools to remotely nuke apps downloaded from the Play Store, but it’s unclear if it has done so in this case. Anyone who worries they downloaded the app should factory reset the phone and start changing passwords. The package name is “com.privacy.account.safetyapp.” If you see that in your app settings, it’s time to panic.

Continue reading

Rocket Lake Was Finalized Before AMD’s Ryzen Kicked Into High Gear
Rocket Lake Was Finalized Before AMD’s Ryzen Kicked Into High Gear

One reason Rocket Lake may not the mark against AMD quite as well as Intel would have liked? The CPU was finalized well before AMD launched 7nm Ryzen CPUs.

NASA’s OSIRIS-REx Completes Last Asteroid Flyby Before Heading Home
NASA’s OSIRIS-REx Completes Last Asteroid Flyby Before Heading Home

NASA reports that OSIRIS-REx has completed a last-minute addition to its mission profile: one final flyby of Bennu to see how its activities changed the surface of the object.

Google, Seagate AI Identifies Problem Hard Drives Before They Fail
Google, Seagate AI Identifies Problem Hard Drives Before They Fail

Google and Seagate have built an AI model to track which hard drives are more likely to fail than others, ideally before any of them have failed at all.

Event Horizon Telescope Captures Never-Before-Seen Detail of Black Hole Jets
Event Horizon Telescope Captures Never-Before-Seen Detail of Black Hole Jets

You've probably seen images of Centaurus A in the past, as it's one of the brightest galaxies in the sky. You've never seen it like this, though.