Thursday, April 18, 2024

Malicious Apps from Google PlayStore Bypassing SMS-Based Two-Factor Authentication and Steal OTPs in SMS

Researchers discovered new malicious Android apps from Google Play Store bypassing SMS-based two-factor authentication (2FA) mechanisms and steal the OTP without SMS’s permission.

Google recently restrict other apps to use of high risk or sensitive permissions, including the SMS or Call Log in March 2019 that leads malware and credentials stealing apps lost its permissions.

Newly uncovered malicious apps using a novel technique to bypassing SMS 2FA messages without using SMS permissions, eventually steal the OTP by evading the new permission restriction.

Threat actors also using the technique to obtain OTPs from some email-based 2FA systems.

Malicious apps in Google play store called “BTCTurk Pro Beta,” “BtcTurk Pro Beta” under the developer name “BTCTurk Pro Beta and BtSoft” impersonate the Turkish cryptocurrency exchange BtcTurk and fool users to steal login credentials to the service.

BtcTurk is a Turkish cryptocurrency exchange; its official mobile app is linked to the exchange’s website and only available to users in Turkey.

Unlike other malicious apps that are intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these apps stealing the OTP from the notification bar and also it cleverly dismiss the notification to divert victims from noticing fraudulent transactions happening.

2FA Bypass Technique

First App “BTCTurk Pro Beta” was uploaded to Google Play on June 7, 2019, and the App was installed nearly 50 users.

Within the next five day, another malicious app was uploaded in Google play store with similar tactics of the first one.

Threat actors later removed the second app and uploaded another app with the same functionality with the name of “BTCTURK PRO” with the same Icon and same developer name.

Once the app installed on victims device, initially it requests permission named Notification access, once allowed, it gains an ability to read all the notifications displayed by the other apps and dismiss the notification.

Since the notification access permission was introduced in Android version 4.3 (Jelly Bean), all the higher version of 4.3 is reportedly affected, which means it could affect around 90% of Android devices.

Once the permission granted by the user, the app instantly displays the fake login page and request to BtcTurk login credentials.

According to ESET research, After the user entered the credentials The English translation of the message is: “Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.”

In the background, stolen credentials are sent to attacker server, and also the developer of the malicious apps target only notifications from apps whose names contain the keywords “gm, Yandex, mail, k9, outlook, SMS, messaging”,

“The displayed content of all notifications from the targeted apps is sent to the attacker’s server. The content can be accessed by the attackers regardless of the settings the victim uses for displaying notifications on the lock screen.” ESET reported.

Mitigation Steps Suggested by ESET

  • Only trust cryptocurrency-related and other finance apps if they are linked from the official website of the service
  • Only enter your sensitive information into online forms if you are certain of their security and legitimacy
  • Keep your device updated
  • Use a reputable mobile security solution to block and remove threats; ESET systems detect and block these malicious apps as Android/FakeApp.KP
  • Whenever possible, use software-based or hardware token one-time password (OTP) generators instead of SMS or email
  • Only use apps you consider trustworthy, and even then: only allow Notification access to those that have a legitimate reason for requesting it

Indicators of Compromise (IoCs)

Package nameHash

Related Read

New Android Malware that Uses Chrome to Load Malicious websites through Notifications

Bypassing and Disabling SSL Pinning on Android to Perform Man-in-the-Middle Attack


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles