Malicious Android Apps Bypass 2FA and Steal Cryptocurrency Account Logins

BtcTurk users targeted by 2FA-bypassing Android apps

If someone asks you to illustrate the modern threat landscape with a single analogy, just say that it's a cat and mouse game. If this someone asks you to clarify, tell them about the three malicious Android applications that researchers from ESET found recently.

The developers of these apps managed to push them past Google's malware scanners and published them on Android's official app store. The goal of the whole operation was to trick victims into giving away their login credentials for a Turkish cryptocurrency exchange called BtcTurk.

BtcTurk has a legitimate Android application, and judging by ESET's screenshots, the crooks did a rather good job of copying the way it looks. Probably that's why, although the fake apps were reported and taken down from Google Play relatively quickly, at least 50 users fell for the scam and downloaded the malware.

On the face of it, there's nothing special. When opened, the apps present a fake login page that looks pretty much identical to BtcTurk's, and any usernames and passwords victims enter into it are sent directly to the criminals. When ESET's Lukas Stefanko examined them more closely, however, he realized that they came with a new mechanism for bypassing SMS-based two-factor authentication (2FA).

Hackers develop another way of beating 2FA

We've already discussed SMS-based 2FA and how it can be defeated by crooks who intercept text messages mid-flight. Up until a few months ago, however, there was another, arguably simpler way of beating the security feature on Android devices.

The hackers knew that if their apps can get permissions for reading users' text messages and call logs, they can steal the temporary passwords and go through the second factor without too much hassle. That's why, in March, Google's security team decided to restrict the use of SMS and call log permissions, thinking that this would put an end to this particular threat. It didn't take the crooks too much time to find a way around the restrictions, though.

The hackers that developed the fake BtcTurk applications realized that Android apps can request another permission which could give them access to the all-important 2FA password. Google might have stricter rules on which apps can read SMSs nowadays, but when it comes to notifications, the regulations are as loose as ever. As any Android user will tell you, when you receive an SMS, you also get a notification, and when the text message is coming from a 2FA system, the temporary password is often visible in the notification. As you might imagine, the hackers managed to put two and two together.

As soon as the victims enter their login details, the fake BtcTurk apps try to use them to log in at the actual exchange. This triggers BtcTurk's 2FA system which sends a one-time password to the user as an SMS. Because the malicious app has previously requested permission to read notifications, it steals the one-time password and lets the crooks log in to the victim's BtcTurk account. If the subsequent transactions trigger the 2FA system again, the applications can take the one-time password and then dismiss the notification, which means that the victim is less likely to notice.

All in all, the operation was well-thought-through, and if it wasn't for ESET's experts, it would have probably caught quite a few Turkish cryptocurrency fans. That said, the crooks did make a mistake.

The BtcTurk phishers leave sensitive data exposed

A security researcher who goes by the alias @fs0c131y (whom we've talked about in the past) was intrigued by the phishing operation, and he set about going through the Command & Control (C&C) infrastructure. He noticed that the crooks were logging all the stolen information in a Firebase database that wasn't protected in any way. In other words, they were not only stealing people's login data, but they were also exposing it for the whole world to see by making what is arguably the simplest configuration mistake of them all.

As you can see, this is a pretty good example of how information security works. Vendors like Google work hard to plug the holes that cybercriminals exploit, but in the end, the crooks just find new ones. In the process, their sloppiness means that the stolen data is often not protected which, in turn, opens more doors for other opportunistic crooks. Unfortunately, it's all at the expense of the regular user.

June 24, 2019

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 5 + 8 ?