A new type of Android malware has been identified that is capable of bypassing SMS-based-two-factor authentication.

In a report on ESET by researcher Lukas Stefanko, a new type of malware has been detected in the Google Play store, which is capable of accessing one-time passwords (OTPs) in SMS two-factor- authentication (2FA) messages “without using SMS permissions, circumventing Google’s recent restrictions”.

The malicious apps have been reported impersonating Turkish cryptocurrency exchange and phishing for login credentials.

“Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these malicious apps take the OTP from notifications appearing on the compromised device’s display.

“Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening.”

The malicious app “BTCTURK Pro Beta” was uploaded to Google Play on June 7, 2019, under the developer name “BTCTurk Pro Beta” and installed by more than 50 users before being reported to Google’s security teams. The second app “BtcTURK Pro Beta” under the developer name “BtSoft”, was uploaded on June 11, 2019, and had been installed by fewer than 50 users.

Once the second app was removed the same attackers uploaded another app using the same developer name, icon and screenshot but named “BTCTURK PRO”.

All the apps ask for “notification access” which allows the app to read the notifications displayed by other apps installed on the device and dismisses those notifications. If a user grants this permission, a fake login form requesting credentials for BtcTurk is displayed – and once the credentials are entered a fake error message in Turkish is displayed.

The credentials are sent to the attacker’s server, and thus due to the notification access permission, the malicious app can read notifications coming from other apps and fraudulent transactions can occur without victims noticing.

Stefanko advises that anyone who believes they may have installed one of these malicious apps, should uninstall it immediately, and accounts should be checked for suspicious activity and passwords changed.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.


GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/


comments powered by Disqus