Endpoint/Device Security, Application security, Malware

Popular authentication app pulled from Google Play for being financial malware

An attendee inspects the Nexus 5X phone during a Google media event on Sept. 29, 2015, in San Francisco. (Photo by Justin Sullivan/Getty Images)

Financial malware often hides in plain sight, seeking to make contact and subtly draw data.

That has certainly been the approach of at least one two-factor authentication, which was available on Google Play for site managers and was downloaded by roughly 10,000 users during the two weeks it was up on the Google app store, ironically offering the promise of better digital access security. Indeed, users who downloaded the app, recommended by several conventional financial firms, were unaware that they were prey to an identity verification scheme.

Patrick McBride, chief marketing officer for Beyond Identity, points out that the incident is “troubling” for two reasons.

“One, it's not a game or a productivity app, it's an app people see as critical to business and personal safety,” said McBride. “Secondly, with plenty of evidence that criminals are substantially compromising legitimate MFA, this further weakens confidence in controls people are already not using as much as they should.”

Indeed, this particular malware steals financial institution credentials, which it may use in the future, meaning that the impact of this exploit cannot be fully calculated at present.

Unfortunately, examples of cyber criminals utilizing multi-factor authentication (MFA) tokens and authenticator apps is a growing trend, according to Chuck Everette, director of cybersecurity advocacy for Deep Instinct. Before it was found to be malware, the Google Play Store described the application as “a secure authenticator for your online services, while also including some features missing in existing authenticator apps, like proper encryption and backups.”

“As MFA is becoming a requirement for financial and other critical systems, cyber criminals now have to shift their focus to how to circumvent or infiltrate these security controls,” Everette said. “This will definitely be a growing trend going into 2022 and beyond.”

Dubbed “2FA Authenticator” U.S. financial firms are encouraging customers to delete this application from their devices as soon as possible, so as to avoid the theft of their personal data and financial access credentials. The criminals who developed this application were able to hide it within a very believable “malware dropper” utilizing open-source coding.

According to a report from mobile application security firm Pradeo: “As a result, the application is successfully disguised as an authentication tool, which ensures it maintains a low profile."

Unfortunately, malware apps like 2FA Authentication are becoming all too common, said Jim Ducharme, COO of Outseer. "Rogue mobile applications have soared over the past year," he added.

In Q2 2021, Outseer detected 140% more rogue banking apps compared with one year prior. “Users need to be aware of warning signs that indicate a mobile application is inauthentic to protect themselves, their 'money and sensitive personal information," said Ducharme.

One way that users can suss out fraudulent 2FA authentication software is when it demands device permissions — such as user locations, and access to third-party applications — beyond what were disclosed in the Google Play profile, according to Pradeo. This malware was reportedly able to even manipulate the interface of other applications on a user’s mobile device.

Jason Kent, hacker in residence at Cequence Security, expects that the applications that come from legitimate digital stores are vetted and safe to use.

“However, that concept isn't actually being implemented to the degree we think it is,” said Kent. “Scanning the application for malware requires some technological implementation for both looking at the code but actually exercising the application to ensure it isn't malicious. Third-party app stores are much worse.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.