Malicious Apps from Google PlayStore Bypassing SMS-Based Two-Factor Authentication and Steal OTPs in SMS

Researchers discovered new malicious Android apps from Google Play Store bypassing SMS-based two-factor authentication (2FA) mechanisms and steal the OTP without SMS’s permission.

Google recently restrict other apps to use of high risk or sensitive permissions, including the SMS or Call Log in March 2019 that leads malware and credentials stealing apps lost its permissions.

Newly uncovered malicious apps using a novel technique to bypassing SMS 2FA messages without using SMS permissions, eventually steal the OTP by evading the new permission restriction.

Threat actors also using the technique to obtain OTPs from some email-based 2FA systems.

Malicious apps in Google play store called “BTCTurk Pro Beta,” “BtcTurk Pro Beta” under the developer name “BTCTurk Pro Beta and BtSoft” impersonate the Turkish cryptocurrency exchange BtcTurk and fool users to steal login credentials to the service.

BtcTurk is a Turkish cryptocurrency exchange; its official mobile app is linked to the exchange’s website and only available to users in Turkey.

Unlike other malicious apps that are intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these apps stealing the OTP from the notification bar and also it cleverly dismiss the notification to divert victims from noticing fraudulent transactions happening.

2FA Bypass Technique

First App “BTCTurk Pro Beta” was uploaded to Google Play on June 7, 2019, and the App was installed nearly 50 users.

Within the next five day, another malicious app was uploaded in Google play store with similar tactics of the first one.

Threat actors later removed the second app and uploaded another app with the same functionality with the name of “BTCTURK PRO” with the same Icon and same developer name.

Once the app installed on victims device, initially it requests permission named Notification access, once allowed, it gains an ability to read all the notifications displayed by the other apps and dismiss the notification.

Since the notification access permission was introduced in Android version 4.3 (Jelly Bean), all the higher version of 4.3 is reportedly affected, which means it could affect around 90% of Android devices.

Once the permission granted by the user, the app instantly displays the fake login page and request to BtcTurk login credentials.

According to ESET research, After the user entered the credentials The English translation of the message is: “Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.”

In the background, stolen credentials are sent to attacker server, and also the developer of the malicious apps target only notifications from apps whose names contain the keywords “gm, Yandex, mail, k9, outlook, SMS, messaging”,

“The displayed content of all notifications from the targeted apps is sent to the attacker’s server. The content can be accessed by the attackers regardless of the settings the victim uses for displaying notifications on the lock screen.” ESET reported.

Mitigation Steps Suggested by ESET

  • Only trust cryptocurrency-related and other finance apps if they are linked from the official website of the service
  • Only enter your sensitive information into online forms if you are certain of their security and legitimacy
  • Keep your device updated
  • Use a reputable mobile security solution to block and remove threats; ESET systems detect and block these malicious apps as Android/FakeApp.KP
  • Whenever possible, use software-based or hardware token one-time password (OTP) generators instead of SMS or email
  • Only use apps you consider trustworthy, and even then: only allow Notification access to those that have a legitimate reason for requesting it

Indicators of Compromise (IoCs)

Package nameHash
btcturk.pro.beta8C93CF8859E3ED350B7C8722E4A8F9A3
com.app.btsoft.app843368F274898B9EF9CD3E952EEB16C4
com.app.elipticsoft.app336CE9CDF788228A71A3757558FAA012
com.koinks.mobilpro4C0B9A665A5A1F5DCCB67CC7EC18DA54

Related Read

New Android Malware that Uses Chrome to Load Malicious websites through Notifications

Bypassing and Disabling SSL Pinning on Android to Perform Man-in-the-Middle Attack

Tags: Android MalwareAndroid securityGoogle PlayMalwaretwo factor authentication
5 years ago
Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Leave a Comment

Related Post

Recent Posts

Akira Ransomware Attacks Over 250 Organizations and Collects $42 Million

The Akira ransomware variant has severely impacted more than 250 organizations worldwide, amassing approximately USD 42 million in ransom payments.…

1 hour ago

Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums

A new zero-day Local Privilege Escalation (LPE) exploit has been put up for sale on a notorious hacker forum. This…

8 hours ago

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified as CVE-2024-3400. This zero-day flaw, found…

21 hours ago

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have access to sensitive information such as…

22 hours ago

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS, APT44) cyber threat group remains highly…

22 hours ago

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is incredible by using an unusual method…

22 hours ago