A new malicious campaign targeting Android users via a trojan app has been detected in the wild. The payload of the campaign is the Vultur trojan that harvests banking credentials, among other malicious activities.
The culprit, a malicious two-factor authentication (2FA) app, which was available for download for more than two weeks, was downloaded 10,000 times. The app was a fully functional 2FA authenticator (with the same name) but it came with a “bonus”. If you have downloaded the 2FA Authenticator app, you should remove it immediately because you are still exposed, Pradeo researchers warned.
According to Pradeo’s report:
The application called 2FA Authenticator is a dropper leveraged to spread malware on its users’ devices. It has been developed to look legitimate and provide a real service. To do so, its developers used the open-source code of the official Aegis authentication application to which they injected malicious code. As a result, the application is successfully disguised as an authentication tool which ensures it maintains a low profile.
However, the most notable capability of the trojan app is it is able to request critical permissions that it doesn’t disclose on its Google Play profile. Thanks to these permissions, the app is able to perform the following activities on a compromised Android device:
- Collect and send users’ application list and localization to its perpetrators, so they can leverage the information to perform attacks targeted towards individuals in specific countries that use specific mobile applications, instead of massive untargeted attack campaigns that would risk exposing them,
- Disable the keylock and any associated password security,
- Download third-party applications under the shape of alleged updates,
- Freely perform activities even when the app is shut off,
- Overlay other mobile applications’ interface using a critical permission called SYSTEM_ALERT_WINDOW for which Google specifies “Very few apps should use this permission; these windows are intended for system-level interaction with the user.”
Another recently disclosed Android trojan is the BRATA trojan. Threat actors have been using the trojan to “perpetrate fraud via unauthorized wire transfers.” Some of its capabilities include performing factory reset of the device, GPS tracking, using multiple communication channels (such as HTTP and TCP), and being able to continuously monitor the victim’s bank app via VNC (Virtual Network Computing) and keylogging.