Malicious Apps Uses App Permission to Retrieve information
If you remember in September 2018, we came across a report from Nightwatch Cybersecurity regarding a security vulnerability in Android that allowed malicious apps to bypass permissions checks, and as a result, gain access to reading the information, including the location of the device.
According to Nightwatch Cybersecurity, the vulnerability affects all versions of Android except for the recently-released Pie. The security hole is detailed in CVE-2018-9489 and is unlikely to get any fix, according to the advisory.
That time the vendor solved these issues in Android P / 9. Since this would be a last-minute API change, the vendor did not to fix the flaw in the previous versions of Android, and encouraged the users to upgrade to Android P / 9.
Studies have shown that malicious applications can listen to system transmissions to avoid authorization checks and access device-specific information
Today, in June 2019, we have a similar story. ESET security researchers discovered many malicious applications that used Google’s permissions on Android devices to read app notifications. These applications request the login credentials used for BtcTurk, a Turkish cryptocurrency exchange, and were then able to read notifications from other applications.
The researchers discovered that these malicious applications captured information such as the OTP protocol and could control the notifications displayed on the device. When reporting to Google, all three apps were removed from Google Play.
How it works
ESET researchers discovered three apps, which were developed by attackers who used different aliases, namely “BTCTurk Pro Beta”, “BtcTurk Pro Beta” and “BTCTURK PRO”.
All these applications supplanted the Turkish cryptographic exchange BtcTurk and behaved the same way after the installation. Once installed, applications require the “Access to Notifications” permission. Enabling this permission allowed them to read notifications from other apps on the device, ignore them, or even click the buttons on the notifications. As a result, a fake connection is displayed when you request the user’s BtcTurk credentials. The introduction of the credentials generated a false error message. The researchers suggest that credentials, as well as information about upcoming notifications, be sent to the attacker’s server via this action.
These applications specifically targeted data from other applications using two-factor authentication (2FA) and were looking for keywords such as “gm”, “Yandex”, “mail”, “k9″, ” outlook’ ‘SMS’, ‘messages’, as pointed out in their blog.
The names of the specific applications tell us that the SMS and 2FA emails are of interest to the attackers behind this malware.” In SMS 2FA, the messages are usually short and the OTPs are likely to be integrated into the message. However, in the 2FA email, the length and format of the message are much more varied, which could affect the attacker’s access to the OTP.