A few weeks after Google confirmed that there is a malware that has been pre-installed in some low-end Android devices, a team of researchers have found that there is a malware that can be downloaded from Google Play Store and can by-pass sophisticated security firewalls.
The cybersecurity researchers from We Live Security by ESET found that specific applications downloadable from the Google Play Store can circumvent Google’s new restriction and bypass two-function authentication to access one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions. Evidence also revealed that malware could even access OTP’s from some emails.
In March 2019, Google restricted SMS and Call Log permissions in Android apps, a move that helps prevent credential-stealing apps from having the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.
Two-factor authentication adds a layer of security for users where the system would not allow access to service just by inputting log-in credentials. The 2FA sends a one-time password via email or SMS to the owner of the device to validate whether login is authentic and legitimate.
First malware to sidestep Google’s SMS restrictions
Now, malware has found a way to circumvent Google’s security features. According to the researchers, the app impersonates a cryptocurrency exchange from Turkey, BtcTurk, and phish login credentials to the service.
“Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these malicious apps take the OTP from notifications appearing on the compromised device’s display. Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening,” wrote the researcher in a security warning post.
They also added that this is the first documented malware to circumvent the new SMS restrictions.
There are different apps available in the Google Play Store that house this malware. The first is BTCTurk Pro Beta” under the developer name “BTCTurk Pro Beta,” which already has 50 downloads before the team reported the security threat to Google.
The second app was uploaded on June 11, 2019, as “BtcTurk Pro Beta” under the developer name “BtSoft.” While the first two apps analyzed by the researchers appear to have the same guise, the team believes that they came from two different attackers.
The malware is evolving
However, amidst the reports made by the team, the attackers seemed to be very persistent in their operations. “After this second app was removed, the same attackers uploaded another app with identical functionality, this time named “BTCTURK PRO” and using the same developer name, icon and screenshots. We reported the app on June 13, 2019,” said the researchers.
The team suspects that the attacks have been evolving as similar apps were observed and reported a few weeks back.
“Just last week, we analyzed a malicious app impersonating the Turkish cryptocurrency exchange Koineks (kudos to @DjoNn35 for bringing that app to our attention). It is of interest that the fake Koineks app uses the same malicious technique to bypass SMS and email-based 2FA but cannot dismiss and silence notifications.”
Analysis reveals that Kioneks was developed by the same attackers owning the BTCTurk Pro Beta” app, and shows that the cybercriminals are perfecting their malware.
“This shows that attackers are currently working on tuning this technique to achieve the “next best” results to stealing SMS messages,” they added.
Google confirmed malware was pre-installed in some devices
The announcement of this exploit came a few days after Google confirmed that some low-end Android devices come with pre-installed malware. In a press release, Google, for the first time in history, has discussed in detail the malware that is called Triada, which the tech company has confirmed have been pre-installed in several low-end Android devices including Cherry Mobile, Leagoo, and Doogee. The malware, which was first discovered and published by Kaspersky Lab back in 2016 have been pre-installed in the affected devices, meaning, the malware already existed in the device even before someone buys it.
It was believed previously that the malware was added and installed to the affected devices at some point in the supply chain process. Now, Google has revealed that cybercriminals indeed managed to compromise Android smartphones and installed a backdoor while the supply chain process of the phones was underway.