ESET expert Lukas Stefanko discovered a new type of fraud and dangerous Android apps that steal two-factor authentication one-time passwords (2FA) using a notification system. This technique allows you to bypass the restrictions imposed by Google developers at the beginning of this year and prohibiting applications from accessing SMS messages and call logs without serious justification.
Stefanko discovered a number of applications (BTCTurk Pro Beta and BtcTurk Pro Beta) posing as the Turkish cryptocurrency exchange BtcTurk. The apps were uploaded to Google Play between June 7 and 13, 2019, and pose a threat to Android 5.0 (KitKat) and higher, that is, they are dangerous for 90% of active Android devices. The main purpose of these malware is to steal credentials and use them, including in services protected by 2FA.
Since getting access to SMS has now become difficult, the scammers have chosen a different method of obtaining information: they request permission to check and manage notifications. The researcher explains that this allows the app to read notifications displayed by other apps installed on the device, dismiss those notifications, or press the buttons they contain.
After receiving such permission, the malware begins to hunt for credentials from cryptocurrency services, offering the victim fake login and password entry forms. If the user fell for the scammers and provided credentials, the victim is shown a fake error message. It states that there was a problem with SMS verification, and the application will supposedly show a notification as soon as this problem is fixed.
In fact, the malware has already sent the user credentials to the attacker's server and can read notifications from other applications. Stefanko writes that he found filters that separate applications whose names contain the keywords gm, yandex, mail, k9, outlook, sms and messaging. As a result, attackers can read the notifications of all these targeted applications, as well as reject them and switch them to silent mode so that the victim does not know about unauthorized access.
This method has only one drawback - attackers can steal only the text that is placed in the notification. However, Stefanko notes that in most cases this will be enough and the attack will succeed.
Interestingly, another similar app was spotted last week, also targeting Turkish users. This malware posed as the Koineks cryptocurrency exchange, but was less sophisticated than the BtcTurk imitators, for example, it could not dismiss notifications or mute the sound.
Let me remind you that recently Doctor Web experts described a similar attack technique that uses fake notifications in Android. In that case, notifications were used not to steal one-time passwords, but to redirect users to malicious and advertising resources.
