2FA app with 10k Google Play downloads loaded well-known banking trojan

It sucks to see your open source work being abused like this, and there&#x27;s seemingly nothing we can do about it.<p>Every now and then I scour the play store to see if I can find any Aegis clones. We&#x27;ve reported a couple that didn&#x27;t have a link to the source code and&#x2F;or were linking proprietary libraries (as per our license), but they&#x27;re still up. Of course, those cases aren&#x27;t as bad as this one where actual malware was included, but it&#x27;s pretty telling about the state of the Google Play Store.

You would think if googles malware scanning was doing anything useful it would have flagged this purely because of the wide permissions it requests.

Right now, Google Play is the wild west. The app store admins are far too lenient when it comes to things like this. No vetting of apps. No inspection of source code for red flags. And the sketchy apps can be rated five stars by a bunch of bots artificially inflating its popularity. Clown show.

Open source app includes link to donation page? Ban! And disable their account while at it. Shady 2FA app? Keep it, what harm can it do?

So much for the walled garden. Remind me again, what is Google offering in exchange for their 30% cut?

For those who can&#x27;t be bothered to click, the name of the app is &quot;2FA Authenticator&quot;.

Not to be confused with: <a href="https:&#x2F;&#x2F;2fas.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;2fas.com&#x2F;</a> <a href="https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=com.twofasapp" rel="nofollow">https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=com.twofasapp</a> Right?

Let&#x27;s definitely not put the name of the app in the title, so people are forced to visit our shitty site loaded with dozens of tracking domains and scripts.

But all the big scary warnings when I enabled sideloading told me that only getting apps from the Play Store would protect me from this!

Removed from Google Play. But what about the users who fell in the trap ? Will the app be removed automatically ?

My rule is that I never install an app from a small publisher. I only install apps from Google, or other large established publishers.<p>I know they all spy on me, but I do trust that they won&#x27;t steal my bank credentials and drain my accounts.<p>Another bit of advice, never do banking on your phone.

They don&#x27;t say it is on FDroid. Figures, as they would have had to provide source code, and FDroid would build it themselves.<p>With all those permissions it demands, people must have reported it earlier.

Are there really Banking trojans in Android? I thought malocious apps can&#x27;t access data of other apps because everything is sandboxed

if you&#x27;re on Android I&#x27;d strongly recommend Aegis via F-Droid.

…Yikes.

I work for a bank. This is why we ship our own 2FA app.