Google's 2FA side stepped by malware
Google changed the rules on what android app developers were allowed use SMS and call logging permissions for, in March of 2019. This meant that rogue apps lost the ability to bypass 2FA mechanisms that used SMS as their One-Time Password (OTP) delivery tool.
Eset have discovered some apps that are able to grab the OTP that is delivered via SMS, without using the very permissions Google have restricted. These malicious apps have also found a way of getting the OTP from some 2FA systems that deliver it via email.
Probably not an issue in the UK, as the apps Eset have discovered are emulating a Turkish crypto currency known as BtcTurk.
They discovered the first app on June 7th 2019 and the second on June 11th 2019. The first app had been installed by more than 50 users and the second a few under that number.
Both apps were reported to Google, but as the second was removed, the criminals uploaded a third. All have names similar to each other Btc Turk Pro Beta, BTCTURKPro Beta
The apps circumnavigated 2FA through the use of a very specific permission – notification access. THe permission lets the app read notifications from other apps and dismiss them or even click any buttons the notification might contain.
The app then displays a login page – fake, of course, then reports it cannot currently work properly because of Google’s recent change in SMS policy. In the background, the app sends the user login details to the attacker’s server. But now, it can read the notifications from any other app. And it sends the content of all other apps notifications back to the attacker’s server.
The moral of the story? Check the popularity, age and reviews of an app and read carefully what permissions it wants. Does this app really need that permission?
13th July 2019