Skip to main content

Android security app installed by thousands ends up being malware

A skull and crossbones against a red background of ones and zeroes displayed on a smartphone screen.
(Image credit: Aaban/Shutterstock)

Hot on the heels of yesterday's story about nearly 500 Android apps in Google Play that were fleecing tens of millions of people out of their hard-earned money, there is — or was — another Android app in Google Play that tried to clean out its victims' online bank accounts.

The app was discovered by French mobile-security firm Pradeo (opens in new tab) and is called 2FA Authenticator. As its name implies, it disguises itself as a two-factor-authentication (2FA) code generator and is fully functional in that regard, as the code-generating bit of many authenticator apps is openly available and free to use. 

Nevertheless, this app does nothing to improve your security. Rather, during installation it asks the user for permissions that are not stated in its Google Play profile, including the permission to install "updates" from the internet instead of receiving updates through Google Play.

Reaching out and touching you with malware

If you grant it that permission, then 2FA Authenticator reaches out to the internet and infects your phone with the Vultur banking Trojan, a particularly nasty piece of work that we first wrote about last July. 

Vultur records everything that happens on your screen to capture what you type in, such as usernames and email addresses. It includes a keylogger to capture what's not visible when you type, such as passwords. It will send that information to its controllers, who can then use your login details to hijack your online bank accounts. 

2FA Authenticator was available in the Google Play app store for at least 15 days and had been installed on at least 10,000 devices before it was removed yesterday (Jan. 27) after Pradeo informed Google of its presence. 

Odds are that 2FA Authenticator is still available on "off-road" Android app stores, so be extremely wary if you get apps that way — the app's unique Android package name is "com.privacy.account.safetyapp". (Other banking Trojans can lurk in Google Play for days or weeks.) 

MORE: Almost all Android smartphones at risk of attack — what to do

How to get rid of 2FA Authenticator

Google can reach out and delete known malicious apps from users' phones if the apps were installed using Google Play, but it rarely does so. If you think you may have 2FA Authenticator or another known malicious app installed on your own phone, you'll probably need to get rid of it manually. 

Check Settings > Apps (or App Management) to see if 2FA Authenticator or another suspicious app is listed. You may want to tap the three dots in the top right corner of the screen and select "Show system" because sometimes malicious apps hide there.

If there's a 2FA Authenticator listed, you can probably just go ahead and delete it, even though it might be a different app because many Android apps use the same or similar names. You can substitute a better-known authenticator app, such as Google Authenticator or Authy, instead.

Also, you should probably install one of the best Android antivirus apps on your phone. They do a better job than Google's built-in tools when it comes to catching malicious apps.

How to check if an installed Android app has been removed from Google Play

However, to make certain whether an app you have installed has been removed from Google Play, you'll need to look up its unique package name — something that looks like "com.foo.app" or, in this particular case, "com.privacy.account.safetyapp". 

Android app package names are easily visible in the URL. or web address, of Google Play store pages when you look at them in a web browser. For example, if the URL is "https://play.google.com/store/apps/details?id=com.foo.app", then the package name is "com.foo.app".

Unfortunately, after the app has been installed on your phone or tablet, it's not so easy to tell what the package name of an Android app might be. 

Your best bet is to open the Google Play app, tap your own Google avatar in the upper right corner, then select "Manage apps and device." 

On the next screen, tap the Manage tab to see all your installed apps. Tap the three uneven lines on the right side of the screen to sort them by name. Find the app that you're curious about and tap it. 

A page for the app itself will open in the Google Play app, but that doesn't necessarily mean the app is in the online Google Play store. It just means the app is installed on your device. 

Tap the three stacked dots in the upper right corner and select Share. A menu will slide out listing a partial URL, which is for the app's Google Play store listing page when you installed the app. Tap the nested-squares icon next to it to copy the URL. 

Then open up a new tab in a web browser, paste the URL into the address bar and tap the Go arrow at the bottom of the screen. (If you just want the package name, paste the URL into a text file or even a new email message.)

If your browser returns a regular Google Play app-listing page, then the app is still in Google Play and it's probably safe to use. 

But if you get a mostly blank page with a message stating that "We're sorry, the requested URL was not found on this server," then the app has been removed from Google Play. 

You should probably consider uninstalling an app that's no longer in Google Play, especially if its package name matches that of a known malicious app such as com.privacy.account.safetyapp. 

The exceptions are for apps that you know were removed from Google Play for other reasons, such as because of a copyright dispute or a violation of Google's terms of service.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.