Android Malware Steals One-Time Passwords and Bypasses 2FA
Lukas Stefanko, an expert at ESET, has discovered a new type of scam and dangerous Android apps that steal one-time passwords used for two-factor authentication (2FA) by exploiting the notification system. This technique allows attackers to bypass restrictions introduced by Google earlier this year, which prevent apps from accessing SMS messages and call logs without a valid reason.
Stefanko identified several apps (BTCTurk Pro Beta and BtcTurk Pro Beta) posing as the Turkish cryptocurrency exchange BtcTurk. These apps were uploaded to Google Play between June 7 and June 13, 2019, and pose a threat to Android 5.0 (KitKat) and above, making them dangerous for 90% of active Android devices. The main goal of this malware is to steal user credentials and use them, even on services protected by 2FA.
How the Attack Works
Since accessing SMS messages has become more difficult, scammers have chosen a different method: they request permission to access and manage notifications. According to Stefanko, this allows the app to read notifications displayed by other apps on the device, dismiss those notifications, or even press buttons contained within them.
Once granted this permission, the malware starts hunting for credentials from cryptocurrency services by presenting the victim with fake login forms. If the user falls for the scam and enters their credentials, a fake error message is displayed, claiming there was a problem verifying the SMS and that the app will show a notification once the issue is resolved.
In reality, the malware has already sent the user’s credentials to the attackers’ server and can now read notifications from other apps. Stefanko found filters in the malware that target apps whose names contain keywords like gm, yandex, mail, k9, outlook, sms, and messaging. As a result, attackers can read notifications from all these targeted apps, as well as dismiss them or mute them so the victim remains unaware of unauthorized access.
Limitations and Similar Threats
The main limitation of this method is that attackers can only steal the text that appears in the notification. However, Stefanko notes that in most cases, this is enough for the attack to succeed.
Interestingly, a similar app targeting Turkish users was spotted last week. This malware pretended to be the cryptocurrency exchange Koineks but was less sophisticated than the BtcTurk imitators, as it could not dismiss notifications or mute them.
Itβs also worth mentioning that a βDoctor Webβ expert recently described a similar attack technique using fake notifications in Android. In that case, notifications were used not to steal one-time passwords, but to redirect users to malicious and advertising resources.