Google Removed Fake Authenticator App From Play Store That Dropped Vultur Malware

Heads up Android users! A fake authenticator app made its way to Google Play Store to infect Android users with Vultur malware. While the app doesn’t exist on the Play Store anymore, make sure that it doesn’t remain on other stores.

Fake Authenticator App Dropped Vultur Malware

As elaborated in a blog post, researchers from Pradeo spotted a malicious app on the Google Play Store. The app mimicked an authenticator app to trick users, which it did successfully, garnering thousands of downloads.

The fake app, named “2FA Authenticator,” appeared on the Play Store recently, showing the last updated date as “January 8, 2022.” Yet, even in a short time, it attracted 10,000+ downloads.

Specifically, the malicious app served as a malware dropper that infected the target devices with Vultur malware. Nonetheless, the attackers played sneakily as they developed the app using the open-source code of the legit Aegis authenticator app. The attackers then injected the malicious code into it, hence retaining the app’s functionality and maliciousness together.

So, after a user would download the app, it would function as expected, thus avoiding red flags.

However, in the background, the fake app would gather device details as well as demand extensive device permissions.

After gaining persistence on the device, the fake authenticator app would drop the Vultur malware as the final payload.

Google Removed The Malicious App

Following this discovery, the researchers reached out to Google to report the app. Eventually, Google removed it from the Play Store, thus preventing users from falling for the attack.

However, as evident from its number of downloads, the app already made its way to at least 10,000 users. Hence, all users who inadvertently downloaded this app should ensure removing it from their devices ASAP.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil