ESET researchers have found apps that impersonate the Turkish BtcTurk crypto exchange, but in reality use new techniques to bypass SMS-based two-step verification (2FA). This also circumvents Google’s recent SMS authorisation restrictions.
In March this year, Google decided to restrict the use of SMS and call history permissions in Android apps in order to prevent rogue apps from abusing them for illegal practices. However, the BTCTurk Pro Beta, BtcTurk Pro Beta and BTCTURK Pro apps are able to circumvent these restrictions. The three apps are phishing for login details for the cryptovalutabeurs. To do so, they retrieve the one-time code from the notification bar where the SMS with the two-step verification code appears.
The apps can not only read the notifications of two-step verification, they can also ignore them. As a result, victims do not notice that fraudulent transactions are taking place. The three apps appeared in the Google Play Store in June 2019. Shortly after ESET reported on the rogue apps and their practices, they were removed from Play Store.
Notification access
After installation, the apps ask for an authorization called Notification access. If they get that authorization, they will be able to read, ignore, and perform associated actions on all the apps on the Android device, as shown. The ESET researchers state that the attackers specifically focus on notifications of SMS and mail apps.
The authorization for Notification access first appeared in Jelly Bean 4.3 of Android. Devices that contain a version older than 4.3 do not have the security function of Google. These devices are already vulnerable to reading notifications. Android devices with a newer version of the operating system are only vulnerable to this if they are allowed to read notifications.
The apps that pose as BtcTurk say they need Android version 5.0 KitKat or higher to work. According to ESET, about 90 percent of all Android devices have one of these versions of the operating system.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.