BRATISLAVA – ESET researchers have analyzed a fake cryptocurrency app using a previously unseen technique to bypass SMS-based two-factor authentication, circumventing Google’s recent SMS permissions restrictions. Google restricted the use of SMS and Call Log permission groups in Android apps in March 2019 to prevent intrusive apps from abusing them for various illicit purposes.

The app mimics the Turkish cryptocurrency exchange Koineks and phishes for login credentials to the service. Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, this malware takes the one-time password (OTP) from notifications appearing on the compromised device’s display. The malicious app was uploaded to Google Play on May 22, 2019, as “Koineks” and was installed by more than 100 users before being removed from the store a week later.
After the app is installed and launched, it requests a permission named Notification access. The fake Koineks app can then read the content of notifications. According to ESET’s analysis, the attackers behind this app specifically target notifications from SMS and email apps.

“One of the positive effects of Google’s restrictions from March 2019 was that credential-stealing apps lost the option to abuse the permissions that allowed them to bypass SMS-based 2FA mechanisms. However, with the discovery of this fake app, we have now seen a malicious app bypass the SMS permission restriction for the first time since the new policy was introduced,” said ESET Researcher Lukáš Štefanko, author of the research piece.

The Notification access permission was introduced in Android’s Jelly Bean 4.3 version, meaning almost all active Android devices are susceptible to this new technique. The fake Koineks app requires Android version 5.0 (KitKat) to run, thus it affects around 90% of Android devices.

As for its effectiveness in bypassing 2FA, this specific technique does have its limitations – attackers can only access the text field that fits the notification’s text field, and thus, it is not guaranteed that the text will include the OTP. In SMS 2FA, the messages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA, message length and format are much more varied, potentially impacting accessible data.

For more details, read the full piece by Lukáš Štefanko, “Malware sidesteps Google permissions policy with new 2FA bypass technique,” on “WeLiveSecurity.com.”