Google got a wake-up call this week when they discovered that a malicious Android app was available for download in the Google Play store for over 2 weeks. In that time, over 10,000 users installed the app thinking it was a legitimate two-factor authentication service.

Cyber security company Pradeo discovered the malicious app called “2FA Authenticator”. On their page on the Google Play store, which is no longer available, it was described as “a secure authenticator for your online services, while also including some features missing in existing authenticator apps, like proper encryption and backups.”

However, the real intention of the application was to steal your financial information.

A legitimate app called Aegis Authenticator, offers to manage your two-step verification tokens. It’s free and open source – and the developers of 2FA Authenticator took advantage of that. The developers of the malicious software copied the open source code from Aegis and modified it with malicious code. The final result was an application that passed Google Play Store security checks, and once installed on a user’s Android device, could steal your sensitive information.

Once installed, the app requests “critical permissions” from the device which allows it to perform a variety of tasks including disabling key lock and password security, downloading third-party apps and updates, continuing to work in the background after the users exits the app and the ability to place an overlay on other app interfaces. All of this is happening while the attackers also have access to the victim’s data.

If 2FA Authenticator finds a device meets several conditions, a Remote Access Trojan (RAT) called Vultur is downloaded and installed on the victim’s device without them even knowing. Vultur uses screen recording and keylogging to record the user when they enter their credentials into banking apps, allowing cyber criminals to empty victim’s banking accounts or cryptocurrency wallets.

If you have downloaded 2FA Authenticator, remove it immediately and contact all of your financial/banking institution to ensure your accounts haven’t been compromised.

Story via PCMag