If you thought malware could not crack into the security ensured by two-factor authentication systems, you're in for an unpleasant surprise - they can! Say hello to the latest Trojan on the block - Android.Bankosy - which is capable of stealing a user's OTPs or one-time passwords.
Voice-based OTPs are frequently deployed by banking apps as a security mechanism. However, security firm Symantec reveals that the above-mentioned Trojan is able to crack them as the malware is able to intercept the codes, which forms a part of the two-factor authentication.
For the unfamiliar, several online banking apps require users to key-in not only their login details and password, but also the OTP, which is a time-sensitive code. Only then can a user gain access and make their desired transaction. This OTP can be sent to the user through a text message or as an automated call.
Many banks have adopted to the call-based system as it is a safer bet (when compared to SMS) against interception from malware. However, it seems that even call-based OTPs are not safe from interception.
On Tuesday, Symantec's Dinesh Venkatesan let on in a blog post that while the two-factor system is popular and works in theory, the emergence of the malware proves otherwise.
"In the last quarter of 2015, we observed an emerging trend among financial Trojans. An information stealing Android threat (detected by Symantec as Android.Bankosy) added functionality to its code that can enable it to deceive voice call-based two-factor authorization (2FA) systems," divulges Venkatesan.
Venkatesan also reveals that the Trojan is updated in such a manner that it is able to forward these phone calls to the hacker.
How The Malware Operates
The Android.Bankosy malware installs on a device using third-party apps.
Once installed, Android.Bankosy is able to open a back door and gather a list of information that is specific to the users' device's system. This data is then forwarded to the C&C server so that the device can be registered, followed by receiving a unique identifier for the infected Android device. In the event the registration is a success, the unique identifier is used as a communication tool to receive commands from the C&C server.
It intercepts 2FA voice codes if instructed and forwards the phone calls to the number of the attacker.
To forward calls in the Asia-Pacific region, several operators deploy a service code which is in the format *21*[destination number]# . The Trojan has implemented this format.
Are You Affected By The Trojan?
If you have downloaded third-party apps on your Android mobile device from unknown sources that are untrusted, potentially yes.
How Do I Protect Myself?
To safeguard your Android device against the threat it is recommended to follow these practices:
- Ensure your software is updated
- Do not download apps from random sites/unknown sources
- Install apps which are from trusted sources alone
- Read the permission requests an app asks for carefully
- Use a good mobile security app (like Norton) to safeguard your data/device
- Back-up important data frequently
Marjan Lazarevski | Flickr