Security researchers from ESET have discovered a bunch of malicious apps that exploited Google app permission on Android devices for reading app notifications. These apps request login credentials used for BtcTurk, a Turkish cryptocurrency exchange, and subsequently could read notifications from other apps.
Researchers found that these malicious apps captured information such as OTP, and could have control of notifications displayed on the device. Upon informing Google, all three apps were removed from Google Play.
The big picture
2FA-enabled apps targeted
In their blog, the researchers point out that these apps specifically targeted data from other apps which employed two-factor authentication (2FA) and looked for keywords such as ‘gm’, ‘yandex’, ‘mail’, ‘k9’, ‘outlook’, ‘sms’, ‘messaging’.
“The targeted app names show us that both SMS and email 2FA are of interest to the attackers behind this malware. In SMS 2FA, the messages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA, message length and format are much more varied, potentially impacting the attacker’s access to the OTP” they said.