Iranian hackers develop malware to steal 2FA codes
Often, security experts recommend two-factor authentication (2FA) as a way to add an extra layer of security to your online accounts and services such as Facebook and Instagram. Now, to break past this wall, a group of Iranian hackers has come up with Android malware that can steal 2FA codes, without your knowledge. Here are more details.
As reported by Check Point researchers, hackers from Iranian group Rampant Kitten are using this malware as part of a set of tools being deployed for an ongoing surveillance campaign. They have been active for years and are targeting Iranian minorities, anti-regime organizations, and resistance movements such as Association of Families of Camp Ashraf and Liberty Residents, Azerbaijan National Resistance Organization, and Baloch people.
The malware in question comes as a backdoor in innocuous-looking applications and performs a range of intrusive tasks like stealing the targets' contacts, recording their voice, or showing them phishing pages designed to steal confidential login credentials. But, among all this, the researchers also discovered that the malware can intercept and forward incoming two-factor authentication codes to the attackers in real-time.
The report from the security firm notes that the backdoor seems to be detecting and stealing 2FA codes of several internet and social services, including those operated by Google and Telegram. For Google's case, the malware reportedly looked for messages containing the "G-" string, the prefix the company uses for its 2FA codes, while for other services it automatically forwarded all incoming messages.
Even though the malware has all the elements to let an attacker break into a person's account, it has a major loophole. Specifically, the malware is only aimed at SMS-based 2FA codes, which experts have frequently flagged as the least secure option, as messages can be intercepted. If you are using some other 2FA option, your account will not be affected by it.
As of now, the researchers have flagged just a single application with this malware - a program designed to let Persian speakers get their driver's license in Sweden. However, going by the reputation of Rampant Kitten, the team believes that there might be more apps with this malicious backdoor, particularly those aimed at Iranians opposing the Tehran regime.