ESET researchers have discovered fake cryptocurrency apps using a previously unseen technique to bypass SMS-based two-factor authentication (2FA), circumventing Google’s recent SMS permissions restrictions. Google restricted the use of SMS and Call Log permissions in Android apps in March 2019 to prevent intrusive apps from abusing them for various illicit purposes.
The apps, named “BTCTurk Pro Beta,” “BtcTurk Pro Beta” and “BTCTURK PRO” impersonate the Turkish cryptocurrency exchange BtcTurk and phish for login credentials to the service. Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these malicious apps take the one-time password (OTP) from notifications appearing on the compromised device’s display. Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening. All three apps were uploaded to Google Play in June 2019 and were quickly taken down following ESET’s notification.
After the fake BtcTurk apps are installed and launched, they request a permission named Notification access. The apps can then read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain. According to ESET’s analysis, the attackers behind these apps specifically target notifications from SMS and email apps.
“One of the positive effects of Google’s restrictions from March 2019 was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based 2FA mechanisms. However, with the discovery of these fake apps, we have now seen the first malware sidestepping this SMS permission restriction,” said ESET Researcher Lukáš Štefanko, author of the research.
The Notification access permission was introduced in Android’s Jelly Bean 4.3 version, meaning almost all active Android devices are susceptible to this new technique. The fake BtcTurk apps require Android version 5.0 (KitKat) and higher to run; thus, they affect around 90% of Android devices.
As for the effectiveness in bypassing 2FA, this specific technique does have its limitations – attackers can only access the text that fits the notification’s text field, and thus, it is not guaranteed that the text will include the OTP. In SMS 2FA, the messages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA, message length and format are much more varied, potentially impacting accessible data.