Press Center

Fake cryptocurrency app uses new 2FA bypass technique to sidestep Google permission policy

Created: 2019-06-17 07:11:01

BRATISLAVA – ESET researchers have analyzed a fake cryptocurrency app using a previously unseen technique to bypass SMS-based two-factor authentication, circumventing Google’s recent SMS permissions restrictions. Google restricted the use of SMS and Call Log permission groups in Android apps in March 2019 to prevent intrusive apps from abusing them for various illicit purposes. 

The app mimics the Turkish cryptocurrency exchange Koineks and phishes for login credentials to the service. Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, this malware takes the one-time password (OTP) from notifications appearing on the compromised device’s display. The malicious app was uploaded to Google Play on May 22, 2019, as “Koineks” and was installed by more than 100 users before being removed from the store a week later.  

After the app is installed and launched, it requests a permission named Notification access. The fake Koineks app can then read the content of notifications. According to ESET’s analysis, the attackers behind this app specifically target notifications from SMS and email apps.

“One of the positive effects of Google’s restrictions from March 2019 was that credential-stealing apps lost the option to abuse the permissions that allowed them to bypass SMS-based 2FA mechanisms. However, with the discovery of this fake app, we have now seen a malicious app bypass the SMS permission restriction for the first time since the new policy was introduced,” said ESET Researcher Lukáš Štefanko, author of the research piece.

The Notification access permission was introduced in Android’s Jelly Bean 4.3 version, meaning almost all active Android devices are susceptible to this new technique. The fake Koineks app requires Android version 5.0 (KitKat) to run, thus it affects around 90% of Android devices. 

As for its effectiveness in bypassing 2FA, this specific technique does have its limitations – attackers can only access the text field that fits the notification’s text field, and thus, it is not guaranteed that the text will include the OTP. In SMS 2FA, the messages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA, message length and format are much more varied, potentially impacting accessible data.

For more details, read the full piece by Lukáš Štefanko, “Malware sidesteps Google permissions policy with new 2FA bypass technique,” on “WeLiveSecurity.com.”

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.