Android Malware Bypasses 2FA by Stealing One-Time Passwords

Researchers monitoring malware that affects Android devices discovered malicious apps that can steal one-time passwords (OTP) from the notification system. This development bypasses Google's ban on apps that access SMS and call logs without justification.

Google enforced the restriction earlier this year specifically to lower the risk of sensitive permissions where they are not necessary. In theory, this also translated into stronger protection for two-factor authentication (2FA) codes delivered via the short message service.

Cybercriminals found a way around this limitation and instead tap into the notifications to obtain the sensitive information. This method also opens up the door to getting short-lived access codes that are delivered via email.

Getting around limitations

Multiple malicious apps impersonating the Turkish cryptocurrency exchange BtcTurk were uploaded to Google Play between June 7 and June 13.

Their purpose was to steal the login credentials to the service, and most likely try them with other services where 2FA protection against unauthorized access may be available.

Since access to SMS is not explained by any of their features, the fake apps take another route and request permission to check the notifications and to control them.

"This permission allows the app to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain," says Lukas Stefanko, Android malware researcher at ESET.

Stefanko says that the two fake BtcTurk apps he uncovered run on Android 5.0 (KitKat) and above, which means they could impact up to 90% of the active Android devices.

Immediately after receiving permission to notifications, the malicious apps start phishing for the credentials of the cryptocurrency service by presenting a fake login form.

Once the username and password are sent, the victim receives an error message informing that there was a problem caused by the SMS verification service and that the app will issue a notification when maintenance work completes.

"Thanks to the Notification access permission, the malicious app can read notifications coming from other apps, including SMS and email apps. The app has filters in place to target only notifications from apps whose names contain the keywords “gm, yandex, mail, k9, outlook, sms, messaging," the researcher explains.

The attacker receives content shown in notifications from all targeted apps. This is not influenced by any of the settings the user makes, such as hiding the content when the screen is locked.

Furthermore, the attacker can dismiss the notifications and silence them so that the victim remains unaware of the unauthorized access.

One drawback to this technique, Stefanko points out, is that it can steal only the text that fits in the notification. Anything outside it remains hidden to the attacker. While this may not always include the one-time access code, a hacker would be successful in most cases.

It appears that this technique is actively tried on Turkish cryptocurrency users, as another app was discovered last week operating in the same way. 

It impersonated the cryptocurrency exchange Koineks and it was less advanced than the BtcTurk impersonators as it could not mute or dismiss the alerts.

The Notifications system on Android has attracted cybercriminals of late, who were also caught delivering fake messages fit with icons for the apps that triggered the alert. When the user tapped the notification, they would land on a deceiving web page.