|
|
[p][font size="4"][font face="freight-text-pro"][font color="#000000"]Security researchers are warning Android users against a recently discovered Google Play Store Malware that could allegedly sidestep an advanced security feature.[p]
[p][font face="freight-text-pro" style="font-size: large;"][font color="#000000"]When Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.[font size="4"][font face="freight-text-pro"][font color="#000000"][br][br][font size="4"][font face="freight-text-pro"][font color="#000000"]We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google’s recent restrictions. As a bonus, this technique also works to obtain OTPs from some email-based 2FA systems. The apps impersonate the Turkish cryptocurrency exchange BtcTurk and phish for login credentials to the service. Instead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these malicious apps take the OTP from notifications appearing on the compromised device’s display.[font size="4"][font face="freight-text-pro"][font color="#000000"][br][br][font size="4"][font face="freight-text-pro"][font color="#000000"]Besides reading the 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions happening.[br][br][font face="freight-text-pro"][font color="#000000"]The malware, all forms of which are detected by ESET products as Android/FakeApp.KP, is the first known to sidestep the new SMS permission restrictions.[p][font size="4"][strong][font face="freight-text-pro"][font color="#4169e1"]Malicious Google Play Store Apps[/strong][p][font size="4"][font face="freight-text-pro"][font color="#000000"]According to Stefano, the first of the many apps containing the new Google Play Store malware was uploaded last June 7th. The malicious app was called BTCTurk Pro Beta under developer ‘BTCTurk Pro Beta,’ which was developed to mimic the Turkish cryptocurrency exchange firm[br][br][font face="freight-text-pro"][font color="#000000"]It should be noted that BtcTurk’s mobile app is registered as BtcTurk Bitcoin Borsası on Google Play Store and is only available for download in Turkey. ESET immediately reported BTCTurk Pro Beta to Google, but at the time of reporting, it’s already been downloaded over 50 times.[br][br][font face="freight-text-pro"][font color="#000000"]Stefanko further reported that the next malicious app was uploaded on June 11th as BtcTurk Pro Beta under the developer ‘BtSoft.’ The researcher noted that while the two apps greatly resembled each other, they seemed to be uploaded by two different attackers. The other app was reported to Google last June 12th.[br][br][font face="freight-text-pro"][font color="#000000"]As soon as the 2nd malware was removed from the Play Store, the same attacker uploaded another app under the name of BTCTURK PRO, containing the same screenshots and icons. ESET reported the third app on June 13th to Google.[br][br][div align="center"][font size="4"][img width="803" height="438" src="https://edgy.app/wp-content/uploads/2019/06/Malicious-cryptocurrency-apps-containing-the-new-Google-Play-Store-malware.jpg" border="0" alt=""][/div][p][font size="4"][br][font face="freight-text-pro"][font color="#000000"]Malicious cryptocurrency apps containing the new Google Play Store malware. | Image courtesy of Lukas Stefanko/ESET[br][font face="freight-text-pro"][font color="#000000"][br][strong][font face="freight-text-pro"][font color="#4169e1"]How the new Google Play Store Malware Works[/strong][p][font size="4"][strong][span style="color: rgb(65, 105, 225); font-family: freight-text-pro; text-decoration-line: underline;"][br][/span][/strong][font face="freight-text-pro"][font color="#000000"]The Google Play Store malware works by requesting specific permission labeled as Notification access as soon as the user launched the infected app. The permission enables the malicious app to read the notifications displayed by other apps installed on the same device. Then, it either dismisses the said notifications or clicks the buttons they contain without the knowledge of the user.[br][br][div align="center"][font size="4"][img width="726" height="1290" src="https://edgy.app/wp-content/uploads/2019/06/notification_access-556730041.jpg" border="0" alt=""][/div][p][font size="4"][br][font face="freight-text-pro"][font color="#000000"]Notification access permission requested by apps infected by the new Google Play Store malware. | Image courtesy of Lukas Stefanko/ESET[br][br][font face="freight-text-pro"][font color="#000000"]Google introduced the Notification access permission to all Android devices starting on version 4.3 (Jelly Bean) up to the present. All Android apps at the moment are required to run this feature, making over 90 percent of Android devices potential targets.[br][br][font face="freight-text-pro"][font color="#000000"]After granting permission to the fake app, it will display a fake login form asking users to enter their BtcTurk credentials. Once the username and password have been entered, a Turkish error message will be displayed citing that the service for the mobile app is temporarily unavailable.[br][br][div align="center"][font face="freight-text-pro"][font color="#000000"] “Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.”[/div][p][font size="4"][br][font face="freight-text-pro"][font color="#000000"][br][div align="center"][font size="4"][img width="728" height="1302" src="https://edgy.app/wp-content/uploads/2019/06/turkish_error-757940451.jpg" border="0" alt=""][/div][p][font size="4"][br][font face="freight-text-pro"][font color="#000000"]Turkish error message displayed by the apps infected by the new Google Play Store malware. | Image courtesy of Lukas Stefanko/ESET[br][br][font face="freight-text-pro"][font color="#000000"]After this whole process has been completed, the malware will now be able to read all notifications, including SMS and emails, from other apps. Stefanko explained that malicious apps only target notifications containing keywords “gm, yandex, mail, k9, outlook, SMS, messaging.”[br][br][font face="freight-text-pro"][font color="#000000"]The content of the notification is then sent to the attacker’s server where they can freely access them regardless of the security settings used by victims on their Android devices. While this new technique can prevent mobile users from knowing fraudulent transactions by blocking notifications, the 2FA bypass has its limitations. [p][font size="4"][font face="freight-text-pro"][font color="#000000"][br][h4][a href="https://edgy.app/new-google-play-store-malware-avoids-sms-two-factor-authentication?pfrom=tech&fp=a9" target="_blank"]Source 1[/a][/h4][h4][a href="https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/" target="_blank"]Source 2[/a][/h4] |
|
发表于 2019-06-30 15:07:18
收藏
Like
Stick Card
Jack
