{"id":3288,"date":"2019-06-18T10:24:24","date_gmt":"2019-06-18T07:24:24","guid":{"rendered":"https:\/\/blog.eset.ee\/?p=3288"},"modified":"2019-12-09T12:33:53","modified_gmt":"2019-12-09T10:33:53","slug":"malware-sidesteps-google-permissions-policy-with-new-2fa-bypass-technique","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2019\/06\/18\/malware-sidesteps-google-permissions-policy-with-new-2fa-bypass-technique\/","title":{"rendered":"Malware sidesteps Google permissions policy with new 2FA bypass technique"},"content":{"rendered":"\n

When Google restricted the use<\/a> of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.<\/p>\n\n\n\n

We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google\u2019s recent restrictions. As a bonus, this technique also works to obtain OTPs from some email-based 2FA systems.<\/p>\n\n\n\n

The apps impersonate the Turkish cryptocurrency exchange BtcTurk and phish for login credentials to the service. Instead of intercepting SMS messages to bypass 2FA protection on users\u2019 accounts and transactions, these malicious apps take the OTP from notifications appearing on the compromised device\u2019s display. Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening.<\/p>\n\n\n\n

The malware, all forms of which are detected by ESET products as Android\/FakeApp.KP, is the first known to sidestep the new SMS permission restrictions.<\/p>\n\n\n\n

The malicious apps<\/h1>\n\n\n\n

The first of the malicious apps we analyzed was uploaded to Google Play on June 7, 2019 as \u201cBTCTurk Pro Beta\u201d under the developer name \u201cBTCTurk Pro Beta\u201d. It was installed by more than 50 users before being reported by ESET to Google\u2019s security teams. BtcTurk<\/a> is a Turkish cryptocurrency exchange; its official mobile app<\/a> is linked on the exchange\u2019s website and only available to users in Turkey.<\/p>\n\n\n\n

The second app was uploaded on June 11, 2019 as \u201cBtcTurk Pro Beta\u201d under the developer name \u201cBtSoft\u201d. Although the two apps use a very similar guise, they appear to be the work of different attackers. We reported the app on June 12, 2019 when it had been installed by fewer than 50 users.<\/p>\n\n\n\n

After this second app was removed, the same attackers uploaded another app with identical functionality, this time named \u201cBTCTURK PRO\u201d and using the same developer name, icon and screenshots. We reported the app on June 13, 2019.<\/p>\n\n\n\n

Figure 1 shows the first two malicious apps as they appeared on Google Play.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Figure 1. The fake BtcTurk apps on Google Play<\/em><\/p>\n\n\n\n

The novel 2FA bypass technique<\/h1>\n\n\n\n

After installation, both apps described in the previous section follow a similar procedure. In this section of the blogpost, we will describe the novel 2FA bypass technique using the first app, \u201cBTCTurk Pro Beta\u201d, as an example.<\/p>\n\n\n\n

After the app is launched, it requests a permission named Notification access<\/em>, as shown in Figure 2. This permission allows the app to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Figure 2. The fake app requesting Notification access<\/em><\/p>\n\n\n\n

The Notification access<\/em> permission was introduced in Android version 4.3 (Jelly Bean), meaning almost all active Android devices<\/a> are susceptible to this new technique. Both fake BtcTurk apps require Android version 5.0 (KitKat) or higher to run; thus they could affect around 90% of Android devices.<\/p>\n\n\n\n

Once the user grants this permission, the app displays a fake login form requesting credentials for BtcTurk, as shown in Figure 3.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Figure 3. The fake login form displayed by the malicious app<\/em><\/p>\n\n\n\n

After credentials are entered, a fake error message in Turkish is displayed, as seen in Figure 4. The English translation of the message is: \u201c<\/em>Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding<\/em>.\u201d<\/em><\/p>\n\n\n\n

In the background, the entered credentials are sent to the attacker\u2019s server.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Figure 4. The fake error message displayed by the malicious app<\/em><\/p>\n\n\n\n

Thanks to the Notification access<\/em> permission, the malicious app can read notifications coming from other apps, including SMS and email apps. The app has filters in place to target only notifications from apps whose names contain the keywords \u201cgm, yandex, mail, k9, outlook, sms, messaging\u201d, <\/em>as seen in Figure 5.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Figure 5. Targeted app names and types<\/em><\/p>\n\n\n\n

The displayed content of all notifications from the targeted apps is sent to the attacker\u2019s server. The content can be accessed by the attackers regardless of the settings<\/a> the victim uses for displaying notifications on the lock screen. The attackers behind this app can also dismiss incoming notifications and set the device\u2019s ringer mode to silent, which can prevent victims from noticing fraudulent transactions happening.<\/p>\n\n\n\n

As for effectiveness in bypassing 2FA, the technique does have its limitations \u2013 attackers can only access the text that fits the notification\u2019s text field, and thus, it is not guaranteed it will include the OTP. The targeted app names show us that both SMS and email 2FA are of interest to the attackers behind this malware. In SMS 2FA, the messages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA, message length and format are much more varied, potentially impacting the attacker\u2019s access to the OTP.<\/p>\n\n\n\n

A fast-evolving technique<\/h1>\n\n\n\n

Just last week, we analyzed a malicious app impersonating the Turkish cryptocurrency exchange Koineks<\/a> (kudos to @DjoNn35 <\/em>for bringing that app to our attention). It is of interest that the fake Koineks app uses the same malicious technique to bypass SMS and email-based 2FA but lacks the ability to dismiss and silence notifications.<\/p>\n\n\n\n

According to our analysis, it was created by the same attacker as the \u201cBTCTurk Pro Beta\u201d app analyzed in this blogpost. This shows that attackers are currently working on tuning this technique to achieve the \u201cnext best\u201d results to stealing SMS messages.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Figure 6. Information about the fake Koineks app on Google Play<\/em><\/p>\n\n\n\n

How to stay safe<\/h1>\n\n\n\n

If you suspect that you have installed and used one of these malicious apps, we advise you to uninstall it immediately. Check your accounts for suspicious activity and change your passwords.<\/p>\n\n\n\n

Last month, we warned<\/a> about the growing price of bitcoin giving rise to a new wave of cryptocurrency malware on Google Play. This latest discovery shows that crooks are actively searching for methods of circumventing security measures to increase their chances of profiting from the development.<\/p>\n\n\n\n

To stay safe from this new technique, and financial Android malware in general:<\/p>\n\n\n\n