Posted on June 24, 2019 at 9:42 AM
Online threats are becoming more and more sophisticated and capable, with the current security features of modern devices no longer being able to stop them. This is especially true when it comes to Android phones, and the recent research reports prove it.
Several weeks ago, Google admitted that a number of low-end Android devices were infected with pre-installed malware. However, while researching this, experts also uncovered that there is a malware that haunts Google Play Store, and that it can bypass security firewalls if downloaded.
The discovery was made by security experts from We Live Security by ESET. They pointed out that some specific apps, which can be downloaded from the Play Store, can actually bypass Google’s restrictions. Further, the malicious apps can’t be stopped by the 2FA (2 Factor Authentication) on their way to accessing OTPs (One-Time Passwords) in SMS 2FA messages. According to some evidence, it is also possible that the malware can gain access to OTPs from emails as well.
Two-Factor Authentication is no longer an obstacle
Google has had problems with malicious apps for a long time now. Every so often, the tech giant would block dozens of newly-discovered apps due to their malicious nature. Then, in March of this year, the company restricted Call Log and SMS permissions in Android apps. It was hoped that this would prevent apps from stealing user credentials and bypassing 2FA.
As many are likely aware, the 2FA system is an additional security layer where users need to receive and then input a special code in order to access various accounts. These are known as one-time passwords which users receive via email, or more often — via SMS.
This was considered to be a great solution, and for a long while, it was. However, things started to change when hackers started posting malicious apps that would request access to SMS. Since most users do not usually pay attention to granting permissions, many have allowed it, and the hackers were able to steal OTPs and use them themselves, thus successfully bypassing 2FA.
Google reacted by preventing the apps from asking such permissions, and now — it appears that this security feature is circumvented by a new malware. Security experts believe that the app impersonates a Turkey-based crypto exchange, BtcTurk, and then steals login credentials for the actual service.
In other words, instead of trying to intercept SMS messages and steal OTPs like before, the malicious app now scans the screen of the device and takes information from the notification that pops up once the codes are received. Not only that, but it can also dismiss the notifications as soon as it gets what it needs so that the user would not realize what is happening.
Malware evolution underway
While it is likely that more of such techniques will be used in the future — this is still an important discovery, as this is the first malware that managed to bypass Google’s new restrictions. Of course, the malware has already spread, and it now comes as a part of multiple apps. BTCTurk Pro Beta was the first one to be discovered, and it was already downloaded around 50 times before being discovered by researchers.
Then, another app with the same name appeared, only a different developer uploaded it. Google removed the second app as well, and the hacker then uploaded the third app, with the same function, as well as with the same malware. With the new apps, researchers believe that the attacks have been evolving as well.
Then, only a week ago, researchers were notified of another potentially malicious app that impersonated another Turkish crypto exchange, known as Koineks. This app also used the same technique, and further research indicates that it also comes from the same developer. The conclusion that researchers managed to come to is that the attackers are likely testing the malware, which is evolving and getting better at obtaining OTPs without actually accessing and stealing SMS.
As mentioned earlier, the announcement of the new method of stealing OTPs came only a few days after Google stated that there were a few low-end Android devices that came with the pre-installed malware. The company discussed the malware, known as Triada, in detail, and even confirmed that Doogee, Leagoo, and Cherry Mobile have it pre-installed. This particular malware was discovered in 2016 by Kaspersky Labs. Now, it seems that it gets installed on phones during the supply chain process. According to Google, cybercriminals managed to compromise Android phones and install a backdoor in quite a few of them, which is yet another threat to the security of users.