Problems with Google Play: Researchers ESET have discovered counterfeit cryptocurrency applications that use an unprecedented SMS-based 2FA authentication bypass technique, in violation of Google's recent SMS licensing restrictions. In March 2019, Google restricted the use of licenses for SMS messages and the Call Log in Android applications, in order to protect users from annoying applications with illegal purposes.
The applications, called "BTCTurk Pro Beta", "BtcTurk Pro Beta" and "BTCTURK PRO" imitate the Turkish cryptocurrency exchange BtcTurk and "fish" connection credentials to the service. These malicious applications do not steal SMS messages to bypass the 2FA protection of users' accounts and transactions, instead, they obtain the one-time code (OTP) from the notifications that appear on the screen of the compromised device.
But in addition to the ability to "read" 2FA alerts, applications can also delete them, preventing victims from detecting illegal transactions. All three applications were uploaded to Google Play in June 2019 and were removed immediately after the ESET update.
Once installed and running, the fake apps ask for permission to access notifications. They can then read notifications displayed by other apps installed on the device, dismiss them, or click on buttons that contain them. According to analysis of ESET, the cybercriminals behind these apps specifically target notifications from SMS and email apps.
"Thanks to the restrictions imposed by Google in March 2019, applications that stole login credentials had lost the ability to abuse the licenses they needed to bypass the mechanisms. 2FA based on SMS. However, in discovering these fake apps, we have seen one for the first time malware to bypass this restriction for SMS permissions," said ESET researcher and study author Lukáš Štefanko.
Το δικαίωμα πρόσβασης στις ειδοποιήσεις εμφανίστηκε πρώτη φορά στην έκδοση Jelly Bean 4.3 του Android, που συνεπάγεται ότι σχεδόν όλες οι ενεργές συσκευές Android είναι ευάλωτες σε αυτή τη νέα τεχνική. Οι πλαστές εφαρμογές BtcTurk μπορούν να λειτουργήσουν σε Android με έκδοση 5.0 (KitKat) και πάνω. Αυτό πρακτικά σημαίνει ότι επηρεάζουν περίπου το 90% των συσκευών Android.
Η συγκεκριμένη τεχνική εμφανίζει ορισμένους περιορισμούς ως προς την αποτελεσματικότητα στην παράκαμψη της πιστοποίησης 2FA - οι εισβολείς έχουν πρόσβαση μόνο στο κείμενο που ταιριάζει στο πεδίο κειμένου της ειδοποίησης, συνεπώς, δεν είναι σίγουρο ότι το κείμενο θα περιλαμβάνει τον κωδικό OTP. Στα SMS for 2FA, messages are generally short and OTP codes are likely to match the alert message. However, in 2FA emails, the length and format of the message is more varied, possibly affecting cybercrime access to the data.
ESET urges users who suspect they have used one of these malicious applications to uninstall them immediately by checking their account for suspicious transactions. To remain generally safe from any malware on Android, ESET provides the following advice:
- Only trust cryptocurrency and financial services apps if they are linked to the official one by clicking here their.
- Only enter your sensitive information into electronic forms if you are confident about their security and legitimacy.
- Keep your device up to date.
- Use a reliable mobile security solution to block and remove threats.
- Prefer software-based (OTP) code-based services or token-based services over SMS or email.
- Use only trusted applications, but even then, allow them to access notifications only if there is a good reason.
More details can be found in the relevant article by Lukáš ftefanko: «Malware sidesteps Google permissions policy with new 2FA bypass technique».
