Last week researchers reported on apps abusing the Android push notifications feature to deliver spam. Now other researchers have described apps using a similar but more advanced approach to by-pass two-factor authentication.
Lukas Stefanko, a malware analyst with ESET, has reported on apps that impersonate the Turkish cryptocurrency exchange, BtcTurk, and phish for login credentials to the service. Rather than the more obvious route of intercepting the SMS messages delivering OTPs, these apps (called BTCTurk Pro Beta and BtcTurk Pro Beta) read the credentials that appear in 2FA notifications from the service.
From November 2018 until April 2019, Bitcoin traded at around or just below $4,000. Since April, however, it has risen steadily until currently trading at over $9.000. ESET, and others, have already warned that the growing price of Bitcoin will likely result in a new wave of cryptocurrency malware. “This latest discovery,” says Stefanko, “shows that crooks are actively searching for methods of circumventing security measures to increase their chances of profiting from the development.”
The basic process for the apps discovered by ESET are similar. On launch, the app requests the permission known as ‘notification access’. This permission allows the app to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain — and is probably available in 90% of Android devices in use.
If the permission is granted, the app then displays a fake login message asking for the user’s BtcTurk login credentials. On their own, these wouldn’t be enough because of the 2FA requirements. The next step is to stop the user expecting any genuine response from the service — a false error message is displayed in Turkish. Translated, it says, “Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.”
The user’s basic credentials, however, have already been sent to the attacker’s server.
Because of the power of the notifications access permission, the app can now read all incoming notifications. It filters out all but those of interest, leaving just those that contain the keywords, gm, yandex, mail, k9, outlook, sms, and messaging. All these notifications are sent to the attacker, who is primarily looking for the one-time passwords used in 2FA.
This happens regardless of the user’s settings for displaying notifications on the lock screen. “The attackers behind this app can also dismiss incoming notifications and set the deviceís ringer mode to silent, which can prevent victims from noticing fraudulent transactions happening.”
So, the next time the user legitimately tries to access the service, any 2FA OTP can be dismissed from his or her phone, but sent to the attacker. The user could be left waiting to receive the code while the attacker — who now has both login credentials and OTP — can access the account.
This isn’t the first of such malicious apps. ESET analyzed a similar app impersonating the Turkish Koineks exchange earlier this month. ESET believes it was developed by the same malicious actor, but lacked the ability to dismiss and silence notifications. “This shows,” says Stefanko, “that attackers are currently working on tuning this technique to achieve the ‘next best’ results to stealing SMS messages.”
A big concern, however, is that the technique could be used against any target (bank, financial institution, cryptocurrency exchange) that includes the OTP in pushed notifications — in any language and in any country.
Related: Nine Charged in SIM Hijacking Scheme