Security researchers discovered Android apps impersonating a Turkish cryptocurrency exchange. The malicious apps were discovered by ESET exploiting Google’s SMS two factor authentication permissions and phishing for user credentials.
Three malicious apps developed by the same attackers were disguised as cryptocurrency exchange, BtcTurk. The first app, ‘BTCTurk Pro Beta’, was installed more than 50 users before being discovered. The app was then reported Google’s security teams by ESET, who took it down. Attackers then uploaded another app, ‘BtcTurk Pro Beta’. This app was downloaded by less than 50 users, before it was reported to Google’s security team. A third app was uploaded to the store with the name ‘BTCTURK PRO’ and was reported before any user’s installed the app. This was also taken down.
To begin the attack, apps sent out a Notification access request when first opened. This access when approved by the user gives the app permission to read all notifications sent by other apps on the device. In this case, when permission is granted, the apps ask login credentials for BtcTurk. Once the credentials are entered, an error message pops up. The error message says the following:
“Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.”
In the meantime, all credentials are sent back to the attackers. Further, the apps were also set up to send back notifications to the attacker with the following keywords: ‘gm, Yandex, mail, k9, outlook, sms, messaging’. Notifications are sent to the attacker, regardless of the user’s settings. Additionally, attackers are able to turn off notifications and device’s ringer.
Contact LIFARS today for penetration testing services