{"id":368243,"date":"2020-09-21T10:03:31","date_gmt":"2020-09-21T08:03:31","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=368243"},"modified":"2020-09-21T10:05:59","modified_gmt":"2020-09-21T08:05:59","slug":"hacker-group-developed-android-malware-to-steal-2fa-codes","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/368243-hacker-group-developed-android-malware-to-steal-2fa-codes.html","title":{"rendered":"Hacker group developed Android malware to steal 2FA codes"},"content":{"rendered":"<p>Security group Check Point has <a href=\"https:\/\/research.checkpoint.com\/2020\/rampant-kitten-an-iranian-espionage-campaign\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>discovered<\/strong><\/a> an Iranian hacking group which developed malware capable of stealing two-factor authentication codes from Android devices.<\/p>\n<p>The group, which is reportedly involved in surveillance operations against Iranian minorities and resistance movements, uses various malware types across Windows and Android.<\/p>\n<p>The Windows malware tries to steal documents and passwords from targets&#8217; computers, as well as files from Telegram&#8217;s Windows desktop client.<\/p>\n<p>However, Check Point has also discovered tools for Android, including the group&#8217;s two-factor authentication code stealer.<\/p>\n<h3 class=\"my-4\">What the tool does<\/h3>\n<p>Check Point explains that an Android backdoor was designed by the group under the guise of a harmless app.<\/p>\n<p>This software purports to helps Persian speakers in Sweden get their drivers&#8217; licenses.<\/p>\n<p>The app asks the user to provide a variety of necessary permissions, and upon these being accepted, initiates several background services.<\/p>\n<p>One of these services is responsible for configuration monitoring, showing fake notifications, and sensitive data collection.<\/p>\n<p>Additionally, the following information is read and prepared by the service:<\/p>\n<ul>\n<li>Installed applications list<\/li>\n<li>Accounts information<\/li>\n<li>SMS messages<\/li>\n<li>Contacts information<\/li>\n<\/ul>\n<p>Other necessary information is collected on demand once a command is received from the group&#8217;s server, and includes:<\/p>\n<ul>\n<li>Voice recording \u2013 A 30-second recording by default.<\/li>\n<li>Google credentials \u2013 The server triggers an authentication phishing attempt.<\/li>\n<\/ul>\n<p>This phishing attempt is executed by opening an accounts.google.com login page, and the group uses a tool to steal the credentials the user types in.<\/p>\n<p>Once everything has been executed successfully, this Android backdoor can do the following:<\/p>\n<ul>\n<li>Steal existing SMS messages<\/li>\n<li>Forward two-factor authentication SMS messages to a phone number provided by the attacker-controlled C&amp;C server<\/li>\n<li>Retrieve personal information like contacts and accounts details<\/li>\n<li>Perform Google account phishing<\/li>\n<li>Retrieve device information such as installed applications and running processes<\/li>\n<\/ul>\n<p>Two-factor authentication SMS messages are intercepted and forwarded to the attackers by searching for any message that includes &#8220;G-&#8220;, which is usually the prefix for 2FA codes sent by Google.<\/p>\n<p>However, since the attacker is an Iranian organisation that is politically motivated, it is unlikely that South African users will be targeted.<\/p>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/security\/367927-facebook-accused-of-watching-instagram-users-through-their-smartphone-cameras.html\" rel=\"bookmark\">Facebook accused of watching Instagram users through their smartphone cameras<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>Security group Check Point has discovered an Iranian hacking group which developed malware capable of stealing two-factor authentication codes from Android devices.<\/p>\n","protected":false},"author":341039,"featured_media":263965,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[46249,30766,417,38240],"class_list":["post-368243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-2fa","tag-check-point","tag-phishing","tag-two-factor-authentication"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/368243"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341039"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=368243"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/368243\/revisions"}],"predecessor-version":[{"id":368281,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/368243\/revisions\/368281"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/263965"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=368243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=368243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=368243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}