A banking trojan disguised as a two-factor authentication application named 2FA Authenticator has now been taken off the Google Play store after 15 days of being available. The fully functional app built with open-source Aegis authentication code was downloaded more than 10,000 times before its removal. The malware that was intertwined with that app is what is known as the Vultur stealer and has keylogging and screen recording capabilities. These tactics are used in an effort to capture banking login credentials from unsuspecting Android users. Additional malicious activity can be carried out by asking the user of the device for additional privileges that could potentially open them up to various other threats. ThreatFabric, who is credited with the discovery of Vultur, made a comment that read “The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.”
Although the application has been removed from the Google Play store, users who have it downloaded are still vulnerable. Device owners who may have the app installed should remove it as soon as possible. Users should also change any passwords to accounts that contain sensitive information. Play store apps should be vetted and given a thorough review before being downloaded to a device.