An Iranian hacking group which developed malware capable of stealing two-factor authentication codes from Android devices was recently unraveled by security group Check Point which discovered this malpractice.
The group, which is reportedly involved in surveillance operations against Iranian minorities and resistance movements, uses various malware types across Windows and Android.
The Windows malware tries to steal documents and passwords from targets’ computers, as well as files from Telegram’s Windows desktop client. However, Check Point has also discovered tools for Android, including the group’s two-factor authentication code stealer.
What the tool does
Check Point explains that an Android backdoor was designed by the group under the guise of a harmless app. This software purports to helps Persian speakers in Sweden get their drivers’ licenses.
The app asks the user to provide a variety of necessary permissions, and upon these being accepted, initiates several background services. One of these services is responsible for configuration monitoring, showing fake notifications, and sensitive data collection.
Additionally, the following information is read and prepared by the service:
- Installed applications list
- Accounts information
- SMS messages
- Contacts information
Other necessary information is collected on demand once a command is received from the group’s server, and includes:
- Voice recording – A 30-second recording by default.
- Google credentials – The server triggers an authentication phishing attempt.
This phishing attempt is executed by opening an accounts.google.com login page, and the group uses a tool to steal the credentials the user types in.
Once everything has been executed successfully, this Android backdoor can do the following:
- Steal existing SMS messages
- Forward two-factor authentication SMS messages to a phone number provided by the attacker-controlled C&C server
- Retrieve personal information like contacts and accounts details
- Perform Google account phishing
- Retrieve device information such as installed applications and running processes
Two-factor authentication SMS messages are intercepted and forwarded to the attackers by searching for any message that includes “G-“, which is usually the prefix for 2FA codes sent by Google.
However, since the attacker is an Iranian organisation that is politically motivated, it is unlikely that South African users will be targeted.