New Android 2FA Exploit Discovered, Wave of New Apps Targets Cryptocurrency Users

With so many devices running the operating system, it is clear that any vulnerability involving Android systems must be addressed as soon as possible, since the safety and personal data of potentially billions of users is at risk.

Circumventing Google Restrictions

One such potentially devastating vulnerability was recently discovered by ESET, the IT security company behind the famous ESET NOD32 antivirus. The new vulnerability reportedly allows malicious code to extract incoming 2FA and OTP information, which could then be used to compromise the associated account. Back in March 2019, Google placed a restriction on Android apps, preventing most from seeking permission to access SMS and call log information on phones. According to Google, this information is considered, and hence should only be used by apps that require this information for their core functionality, such as phone and SMS handlers, in addition to digital assistants. By restricting which apps on Android are able to request and access such information, Google essentially laid the hammer down on many data mining and credential leaking apps. The newly discovered vulnerability bypasses this restriction by allowing apps to read incoming notification messages. These notification messages often contain OTP and 2FA codes which can then be retrieved by the malware and broadcast to an external server.

Cryptocurrency Users on Android Targeted First

The first malicious app analyzed by the ESET analysis team is a copycat version of the official BTCTurk app — a Turkish Bitcoin exchange platform. The malicious app, named “BTCTurk Pro Beta” used the novel 2FA bypass technique to steal 2FA codes, while a fake login screen was used to capture the users BTCTurk login credentials. Both the 2FA codes and login credentials were then sent to the attacker’s server. Initially, suspicions were raised about the counterfeit BTCTurk app when Android users began noticing that the fake app was available worldwide, whereas the original app is restricted to Turkish Android users.  Typically, most vulnerabilities that involve crypto users are exposed pretty quickly. For instance, a vulnerability involving a recent batch of Yubikey authentication devices was quickly recognized and rectified by the manufacturer, preventing any loss of funds. Despite not being developed specifically for cryptocurrency users, the Yubikey authentication keys find extensive use as a FIDO U2F stick, most commonly used by cryptocurrency traders. With many cryptocurrency users often storing substantial sums in their mobile wallets and thanks to the pseudo-anonymity of most cryptocurrencies, there is little wonder why cryptocurrency users are often the first to be targeted by new exploits. Do you think Google needs to do more to prevent counterfeit and data-mining apps from entering the Play Store on Android devices? Let us know your thoughts in the comments!