A banking Trojan detected on Google Play infected over 10,000 people

2FA Authenticator app listed on Google Play drops Vultur banking Trojan

A banking Trojan detected on Google PlayPotentially 10k people had their banking information stolen

The 2FA Authenticator was marketed as a way to import Authy, Google Authenticator, Microsoft Authenticator, and Steam to one place. The developers also wrote in the description that the app provides “proper encryption and backups.” It was made to look like a professional and legitimate service, so over 10,000 people who installed it on their phones could not suspect a thing.

The threat actors used an open-source Aegis authentication code and injected it with malicious add-ons. The Vultur remote access Trojan (RAT)[1] used keylogging[2] and screen recording for banking-data theft. ThreatFabric, the banking security team said:

The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.

The automated process of harvesting credentials on a big scale

The Trojan was first detected by the Pradeo team, who found that it does not only steal banking information but can also access user location data, disable passwords and locks on the device, download third-party apps without the users' knowledge, even when the 2FA Authenticator apps is not in-use. The most targeted countries were Italy, Australia, and Spain. Besides the financial institutions, hackers also tried to obtain cryptocurrency wallet information.

Unlike many other Banking Trojans, Vultur approaches the attack in a very different way. Most banking malware relies on social engineering techniques[3] to trick the victims into thinking they are typing in their private information in a legitimate banking app when they are not. Vultur uses screen recording, making it essentially impossible for everyday users to catch inconsistencies.

One of the most worrying things is that the malicious application is completely functional. The users would not suspect a thing while the app would initiate malicious tasks on the mobile device. This requires much more effort from threat actors but as we see, they are willing to go the extra mile to maintain a low profile and avoid detection. Researchers submitted their findings to Google Play, and the banking trojan remained listed for 15 days until January 27th, infecting over 10,000 users. Those who have the 2FA Authenticator app still installed should delete it as soon as possible.

Android banking Trojan attacks are expected to keep increasing

For the past 5 years, the main way to steal mobile banking login credentials has been the overlay attacks. Vultur shows that threat actors are beginning to slowly stop using rented Trojans (MaaS)[4] that are sold on underground markets and are moving towards private malware tailored to their needs.

The MaaS strategy has resulted in financial gain in the short term but was found not to be very sustainable over time. The new private strategy is paying out and seems to be a more sustainable business model for cybercriminals. According to ThreatFabric, overlay attacks have increased by 129% since 2019, so we can only imagine what will happen once criminals start implementing the sophisticated techniques on a large scale. They also said:

As the mobile channels of financial institutions continue to grow, mobile banking malware will only become more popular. Besides a steep increase in mobile malware volumes targeting banking apps last and this year, we see mobile malware becoming more and more sophisticated enabling hard-to-detect large scale attacks.

We can only hope that financial institutions will not fall back and will implement new security standards that can prevent banking information theft on smartphones.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions