Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Apps Target Bitcoin, By-Passing 2FA

Last week researchers reported on apps abusing the Android push notifications feature to deliver spam. Now other researchers have described apps using a similar but more advanced approach to by-pass two-factor authentication.

Last week researchers reported on apps abusing the Android push notifications feature to deliver spam. Now other researchers have described apps using a similar but more advanced approach to by-pass two-factor authentication.

Lukas Stefanko, a malware analyst with ESET, has reported on apps that impersonate the Turkish cryptocurrency exchange, BtcTurk, and phish for login credentials to the service. Rather than the more obvious route of intercepting the SMS messages delivering OTPs, these apps (called BTCTurk Pro Beta and BtcTurk Pro Beta) read the credentials that appear in 2FA notifications from the service.

From November 2018 until April 2019, Bitcoin traded at around or just below $4,000. Since April, however, it has risen steadily until currently trading at over $9.000. ESET, and others, have already warned that the growing price of Bitcoin will likely result in a new wave of cryptocurrency malware. “This latest discovery,” says Stefanko, “shows that crooks are actively searching for methods of circumventing security measures to increase their chances of profiting from the development.”

The basic process for the apps discovered by ESET are similar. On launch, the app requests the permission known as ‘notification access’. This permission allows the app to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain — and is probably available in 90% of Android devices in use.

If the permission is granted, the app then displays a fake login message asking for the user’s BtcTurk login credentials. On their own, these wouldn’t be enough because of the 2FA requirements. The next step is to stop the user expecting any genuine response from the service — a false error message is displayed in Turkish. Translated, it says, “Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.”

The user’s basic credentials, however, have already been sent to the attacker’s server. 

Because of the power of the notifications access permission, the app can now read all incoming notifications. It filters out all but those of interest, leaving just those that contain the keywords, gm, yandex, mail, k9, outlook, sms, and messaging. All these notifications are sent to the attacker, who is primarily looking for the one-time passwords used in 2FA.

Advertisement. Scroll to continue reading.

This happens regardless of the user’s settings for displaying notifications on the lock screen. “The attackers behind this app can also dismiss incoming notifications and set the deviceís ringer mode to silent, which can prevent victims from noticing fraudulent transactions happening.”

So, the next time the user legitimately tries to access the service, any 2FA OTP can be dismissed from his or her phone, but sent to the attacker. The user could be left waiting to receive the code while the attacker — who now has both login credentials and OTP — can access the account.

This isn’t the first of such malicious apps. ESET analyzed a similar app impersonating the Turkish Koineks exchange earlier this month. ESET believes it was developed by the same malicious actor, but lacked the ability to dismiss and silence notifications. “This shows,” says Stefanko, “that attackers are currently working on tuning this technique to achieve the ‘next best’ results to stealing SMS messages.”

A big concern, however, is that the technique could be used against any target (bank, financial institution, cryptocurrency exchange) that includes the OTP in pushed notifications — in any language and in any country.

Related: 6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication 

Related: Hackers Steal $40 Million in Bitcoin From Cryptocurrency Exchange Binance 

Related: Mac Malware Steals Browser Cookies, Sensitive Data 

Related: Nine Charged in SIM Hijacking Scheme 

Related: Cryptocurrency Theft Tops $1 Billion in Past Six Months 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.