Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Apps Target Bitcoin, By-Passing 2FA

Last week researchers reported on apps abusing the Android push notifications feature to deliver spam. Now other researchers have described apps using a similar but more advanced approach to by-pass two-factor authentication.

Last week researchers reported on apps abusing the Android push notifications feature to deliver spam. Now other researchers have described apps using a similar but more advanced approach to by-pass two-factor authentication.

Lukas Stefanko, a malware analyst with ESET, has reported on apps that impersonate the Turkish cryptocurrency exchange, BtcTurk, and phish for login credentials to the service. Rather than the more obvious route of intercepting the SMS messages delivering OTPs, these apps (called BTCTurk Pro Beta and BtcTurk Pro Beta) read the credentials that appear in 2FA notifications from the service.

From November 2018 until April 2019, Bitcoin traded at around or just below $4,000. Since April, however, it has risen steadily until currently trading at over $9.000. ESET, and others, have already warned that the growing price of Bitcoin will likely result in a new wave of cryptocurrency malware. “This latest discovery,” says Stefanko, “shows that crooks are actively searching for methods of circumventing security measures to increase their chances of profiting from the development.”

The basic process for the apps discovered by ESET are similar. On launch, the app requests the permission known as ‘notification access’. This permission allows the app to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain — and is probably available in 90% of Android devices in use.

If the permission is granted, the app then displays a fake login message asking for the user’s BtcTurk login credentials. On their own, these wouldn’t be enough because of the 2FA requirements. The next step is to stop the user expecting any genuine response from the service — a false error message is displayed in Turkish. Translated, it says, “Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.”

The user’s basic credentials, however, have already been sent to the attacker’s server. 

Because of the power of the notifications access permission, the app can now read all incoming notifications. It filters out all but those of interest, leaving just those that contain the keywords, gm, yandex, mail, k9, outlook, sms, and messaging. All these notifications are sent to the attacker, who is primarily looking for the one-time passwords used in 2FA.

This happens regardless of the user’s settings for displaying notifications on the lock screen. “The attackers behind this app can also dismiss incoming notifications and set the deviceís ringer mode to silent, which can prevent victims from noticing fraudulent transactions happening.”

So, the next time the user legitimately tries to access the service, any 2FA OTP can be dismissed from his or her phone, but sent to the attacker. The user could be left waiting to receive the code while the attacker — who now has both login credentials and OTP — can access the account.

This isn’t the first of such malicious apps. ESET analyzed a similar app impersonating the Turkish Koineks exchange earlier this month. ESET believes it was developed by the same malicious actor, but lacked the ability to dismiss and silence notifications. “This shows,” says Stefanko, “that attackers are currently working on tuning this technique to achieve the ‘next best’ results to stealing SMS messages.”

A big concern, however, is that the technique could be used against any target (bank, financial institution, cryptocurrency exchange) that includes the OTP in pushed notifications — in any language and in any country.

Related: 6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication 

Related: Hackers Steal $40 Million in Bitcoin From Cryptocurrency Exchange Binance 

Related: Mac Malware Steals Browser Cookies, Sensitive Data 

Related: Nine Charged in SIM Hijacking Scheme 

Related: Cryptocurrency Theft Tops $1 Billion in Past Six Months 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.