Analysts from the security firm ESET uncovered that fraudulent crypto apps have been employing a method to bypass authentication mechanisms on Google.
Google had recently imposed restrictions on SMS and calling for Android apps to prevent illicit firms from exploiting them.
The said apps, named BTCTurk Pro Beta, BtcTurk Pro Beta and BTCTURK PRO had created impressions of a legitimate Turkish crypto firm – BtcTurk – to gain access to the services.
Once the fraudulent versions of the BtcTurk apps are downloaded by a user, they ask for notification access from the user. Upon doing this, the apps can them peruse notifications from other apps on the user’s device and exploit them for their own financial gain.
“One of the positive effects of Google’s restrictions from March 2019 was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based 2FA mechanisms. However, with the discovery of these fake apps, we have now seen the first malware sidestepping this SMS permission restriction,” said Lukáš Štefanko, a researcher from ESET.
The notification feature was implemented recently in the Jelly Bean 4.3 version of Android, which signifies that almost all current Android devices could fall prey to the scam’s methods of intrusion. The fraudulent BtcTurk apps could operate on a vast majority of Android devices of the day.
Despite this, the fake apps’ preferred technique of intrusion does come with its setbacks: The scam’s operators can only gain access to content that fits the text field.
This means that all text will not be included in the OTP. Messages that are shorter and more concise will likely be left out of the notification message.
