Saturday04 February 2023

MFA App on Google Play Store Used to Install Banking Malware

Reading time is around minutes.

Mobile device security is not where is should be. There is just no way around this fact. The vas majority of people simple download and install an app on their phone or tablet thinking that they are not going to get something nasty. They never review the permissions that new app is asking for or what those permissions might allow it to do. Now it seems that clever threat actors have slipped a malware into a Multi-Factor Authentication (MFA) App.

The App call 2FA Authenticator was designed to mimic apps like the Google and Microsoft Authenticator apps. On the surface it was a method to add another layer of security to the places you log into. Behind the curtain the app gave itself a rather startling amount of permission on the device it was installed on.

2FA Authenticator was allowed to disable the screen lock, draw over other apps and prevent the device from sleeping. These were nestled in with normal permissions for an MFA app like take pictures, for and background data and even draw over other apps. Looking even deeper security firm Pradeo found that it had permission to query all packages, use the biometric sensor, use stored fingerprints, install packages, disable the keyboard input, and pretty much run as system with the SYSTEM_ALERT_WINDOW permission.

Pradeo researchers say that these permissions were then used to download and install malware called Vultur. They were also used to easily access banking and financial information to steal money. The App has been removed from the Google Play store (as of January 27th), but according to Google it was still installed by over 10,000 people. That is quite the payday for the threat actor group in question here.
It is clear here that this app was designed from the group up to be able to take total control over the mobile device in question. It is a significant threat and one that slipped past the Google Play Store checks that are supposed to prevent this type of app from being available. This highlights what we have always said, you cannot trust Google, Apple, or Microsoft when it comes to apps. You need to do some checking as well. If you do not know the developer, or if the app wants more permissions that it needs to run, don’t install it. If you check your apps and find any that have permissions they do not need, remove them. It is either that or remove all the banking and financial account management from your mobile device.

There is no reason to believe that mobile device attacks like this will be going anywhere. We also know that mobile security (anti-malware) is just not up to where it needs to be to protect against these types of threats. Even in the corporate environment there are little to no anti-malware solutions that do much to prevent these types of attacks. That means it falls back to the end-user to ensure they are keeping an eye on what the apps on their device are doing. Especially as they are all too often a dual use device (work and personal).

Stay safe out there

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.