Malicious apps leverage app permission to extract information from notifications

• The apps made use of the ‘Notification access’ app permission on Android devices and impersonated a Turkish cryptocurrency exchange.
• Upon installation, these apps could read notifications coming from other apps including SMS and email apps.

Security researchers from ESET have discovered a bunch of malicious apps that exploited Google app permission on Android devices for reading app notifications. These apps request login credentials used for BtcTurk, a Turkish cryptocurrency exchange, and subsequently could read notifications from other apps.

Researchers found that these malicious apps captured information such as OTP, and could have control of notifications displayed on the device. Upon informing Google, all three apps were removed from Google Play.

The big picture

• ESET researchers uncovered three apps, namely “BTCTurk Pro Beta”, “BtcTurk Pro Beta” and “BTCTURK PRO”, that were developed by attackers who used different aliases.
• All these apps impersonated Turkish crypto-exchange BtcTurk and behaved similarly after installation.
• Once installed, the apps request the ‘Notification access’ permission. Enabling this permission allowed them to read notifications displayed by other apps in the device, dismiss notifications, or even click buttons present in notifications.
• Consequently, a fake login is displayed where it asks for the user’s BtcTurk credentials. Entering credentials resulted in a fake error message. Researchers suggest that the credentials, as well as information from upcoming notifications, are sent to the attacker’s server by this action.

2FA-enabled apps targeted

In their blog, the researchers point out that these apps specifically targeted data from other apps which employed two-factor authentication (2FA) and looked for keywords such as ‘gm’, ‘yandex’, ‘mail’, ‘k9’, ‘outlook’, ‘sms’, ‘messaging’.

“The targeted app names show us that both SMS and email 2FA are of interest to the attackers behind this malware. In SMS 2FA, the messages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA, message length and format are much more varied, potentially impacting the attacker’s access to the OTP” they said.