Android Malware Bypasses 2FA by Stealing One-Time Passwords (Jun 17, 2019)
Malware that is capable of stealing Android one-time passwords has been discovered by researchers at ESET. In an attempt to strengthen security, Google previously banned apps that access SMS and call logs when they are not necessary. However, threat actors have found a way to bypass this by accessing notifications to steal one-time passwords and two-factor authentication codes. Between June 7 and June 13, fake Turkish cryptocurrency apps were uploaded to the Google Play Store attempting to steal login credentials by requesting permissions to read all notifications. Once the permissions are accepted, the fake application phishes for the credentials with a fake login screen and prompts notifications from a specific list of apps to be collected from. In addition, the control of notifications enables threat actors to delete and silence notifications, to hide from the user.
Recommendation: Ensure when downloading finance applications that are linked from the official website of the service, only provide sensitive information and allow notifications from trusted sources. In addition, make sure your device is kept up to date, and use a reputable mobile security solution to help block malicious apps.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.