Android users beware!
If you didn’t see it, a couple weeks ago it was discovered that some malicious apps are now capable of accessing one-time passwords (OTPs) in SMS two-factor authentication (2FA) messages from Android notification systems, circumventing Google’s recent SMS restrictions.
This technique also works to obtain these passwords from some email-based 2FA systems and it is generally being sent from what looks to be one of the legitimate Bitcoin exchanges.
You can click here to read the full story: https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/
To stay safe from this new technique, and from financial Android malware in general:
- Only trust cryptocurrency-related and other finance apps if they are linked from the official website of the service
- Only enter your sensitive information into online forms if you are certain of their security and legitimacy
- Keep your device updated
- Use a reputable mobile security solution to block and remove threats; ESET systems detect and block these malicious apps as Android/FakeApp
- Whenever possible, use software-based or hardware token one-time password (OTP) generators instead of SMS or email
- Only use apps you consider trustworthy, and even then: only allow Notification access to those that have a legitimate reason for requesting it
A malware attack can paralyze your business. If you don’t have the time or resources to invest in these security activities, contact us for help!