Accounts protected by two-factor authentication may face a greater risk of being hijacked by a newly updated Android malware, IT News reported Tuesday (Jan. 12).
The capabilities of the malware, which was originally discovered by Symantec back in 2014 and is called Android.Bankosy, were updated to steal the time-sensitive codes that are typically sent out as an added security measure when attempting to log into mobile applications with two-factor authentication. In most cases, the one-time passcodes are sent via SMS or delivered through an automated phone call.
While many online banking applications have moved to using the call-based passcodes, since SMS messages can be captured by some malware, Android.Bankosy now has the ability to forward the calls directly to hackers.
“Once the malware is installed on the victim’s device, it opens a back door, collects a list of system-specific information and sends it to the command and control (C&C) server to register the device and then get a unique identifier for the infected device,” Dinesh Venkatesan of Symantec explained in a blog post. “If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands.”
“Once the unconditional call forwarding is set on the victim’s device, the attacker — who has already stolen the victim’s credentials (the first factor in two-factor authentication and authorization) — can then initiate a transaction,” Venkatesan continued.
The malware also has the ability to disable and enable the silent mode on a mobile device, as well as lock a device so that the victim is unaware when an incoming call takes place.
Symantec recommends users adhere to best practices, like keeping software up to date and refraining from downloading apps from unfamiliar websites, in order to help mitigate the threat of malware on their mobile devices.