When Google restricted the use of login rights SMS and Call Log applications Android in March of 2019, one of the positive results was that apps that shed credentials lost the option to abuse these rights to bypass two-factor authentication (2FA).
Unfortunately, however, malicious apps that have access to one hour passwords have recently been found (OTP) to SMS 2FA without using SMS rights, bypassing Google's recent restrictions. As a bonus, this technique also works to acquire OTPs from some systems 2FA.
Applications imitate the Turkish cryptocurrency exchange BtcTurk and attack through phishing to steal login credentials into the service. Malicious applications receive OTP from the alerts displayed on the victim's screen. In addition to reading 2FA notifications, apps can also hide them to prevent the attackers from capturing the attack.
Malicious software, all of whose forms are detected by products ESET is the first to bypass the new SMS permission restrictions.
The first of them malicious applications which was detected, was uploaded to Google Play on 7 June 2019 as "BTCTurk Pro Beta" under the developer name "BTCTurk Pro Beta". It was installed by more than 50 users before reported by ESET to Google security teams. BtcTurk is a Turkish one cryptocurrency exchange. The official mobile app is linked to the exchange site and is only available to users in Turkey.
The second application was downloaded on June 11 2019 as "BtcTurk Pro Beta" under the developer name "BtSoft". Although the two applications use a very similar format, it seems to be the work of various attackers. The application was reported to 12 June 2019 when it was installed by fewer than 50 users.
After removing this second app, the same intruders uploaded another application with the same functionality, this time under the name "BTCTURK PRO" and using the same developer name, icon and screenshots. The application was reported on June 13 2019.
For more technical details, click here.