A new type of Android malware is capable of stealing one-time passcodes that are part of the two-factor authentication (2FA), according to a recent report. Let’s break it down a bit:
What are one-time passcodes?
One-time passcode are a relatively new security measure that is supposed to provide more comprehensive protection for users. The idea is that once a user wants access to sensitive data like bank accounts, the bank sends an SMS message with a passcode valid for a limited time. This makes it ineffective for perpetrators to steal the user’s credentials since they wouldn’t be valid without this passcode sent to the user’s phone.
This method was changed by some vendors over concerns that a potential attacker could gain access to SMS messages and then steal one-time passcodes. The new method is an automated phone call which is much harder for a potential attacker to intercept.
What is this new threat we talk about?
Banking malware named Android.Bankosy was first discovered by Symantec in July 2014, but has been updated with new capabilities. This is another tweak of the malware framework “GMbot” which was also used Singaporean banker malware analyzed by Check Point.
The new Bankosy malware can redirect temporary passcode calls to attackers. If attackers obtain a user’s credentials beforehand, they can now access the user’s sensitive accounts. In addition to this incredible capability, the malware can switch the phone to silent mode and lock it so the phone owner will not be aware of the plot being executed.
Why is this development interesting?
This is a big breakthrough for attackers who can now compromise a security measure that was considered extremely safe up until now. The potential for damage is quite significant since attackers can gain access to a user’s sensitive accounts and meddle with them as they wish.
This time, attackers obviously meant to target banking apps, yet these are not the only apps at risk. Many different services support the use of two-factor authentication, including Gmail, Amazon, PayPal and Facebook. (Check out a list of services that use 2FA.) Users who want to protect their accounts use the 2FA as a comprehensive security measure.
It is not unreasonable to imagine a scenario in which attackers access enterprise Dropbox or Google Docs accounts to retrieve sensitive information, regardless of 2FA. Cloud computing services (SaaS) such as Amazon Web Services and Microsoft Azure are among the users of 2FA. These services are used by an increasing number of companies, now vulnerable to such attacks.
The attackers need to be successful in stealing credentials only once in order to infiltrate an organization’s secure workspace successfully. Upon infiltrating the workspace, the attacker can steel anything from internal information to intellectual property.
This calls for a new security method to safely and positively authenticate users. As seen here, technology and threats develop rapidly, and these new measures certainly won’t be the last.
What can be done to ensure your protection?
Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.