If you are someone who makes use of two-factor authentication, aka 2FA, to add that extra layer of security on logins and feel that it’s foolproof, you need to pause and rethink.
Well, it turns out that 2FA codes which are sent via SMS are not so very safe after all as they can easily be intercepted by hackers.
Check Point which is a security firm recently revealed that an Iranian hacking group has developed a malware specifically for Android which can steal 2FA codes! Nicknamed as ‘Rampant Kitten’ by the security firm, this hacker group has developed many such tools for the purpose of hacking.
Check Point believes that this group of threat actors are not new to the game. They are known to be active for close to six years and have been partaking in an ongoing surveillance operation against various resistance moments such as Association of Families of Camp Ashraf and Liberty Residents (AFALR), Azerbaijan National Resistance Organization and the Balochistan people.
In these campaigns, Rampant Kittens favoured the use of a wide range of malware families which include four different Windows infostealers and an Android backdoor which disguises itself inside malicious apps.
The Windows malware strains employed by this hacker group not only stole a victim’s personal documents but also files from the desktop client of their Telegram account along with files from KeePass Password manager.
That being said, now it seems like they are changing up their strategy and focusing on exploiting Android users.
In the report published Check Point researchers, they highlighted that the Rampant Kittens’ developed Android backdoor is extremely potent.
The backdoor has the ability to steal a victim’s entire contacts list and SMS messages along with recording their activities via the microphone and showing them phishing pages.
But here’s where it gets interesting – the backdoor seemed to be containing specific routines that were completely focused on stealing 2FA codes.
According to the researchers of Check Point, this malware, if and when installed on a user’s Android device, could intercept SMS messages that contained the “G-” string and then forward it to the attackers. Thus, it is quite alarming.
Check Point also pointed out the fact that they have uncovered the malware’s ability to automatically forward all incoming SMS messages from Telegram and various other social network apps. These types of messages also tend to contain 2FA codes and it is very likely that Rampant Kittens aims to bypass more than the 2FA of Google accounts.
As of now, the malware has been found inside an Android app which poses as a service to help Persian regional speakers in Sweden to get their driver’s license.
Therefore, it is highly unlikely this has spread widely in various app stores. However, there’s no confirmation on the fact if the same malware isn’t lurking around other mainstream apps as well, so the situation still remains alarming.
With the introduction of this highly lethal malware, Rampant Kitten has now joined the ranks of APT20 which is a state-sponsored Chinese hacking group that, last year, became known for being able to bypass hardware-based 2FA solutions as well.
All in all, this report clearly shows that malwares are now evolving at a rapid pace.
A month ago we reported how BlackRock, another lethal malware had been infecting Android smartphones by posing as Google updates that ask for permission to observe one’s device actions and retrieve window content.
So, it is well understood that smartphone users, especially Android users, need to be aware and attentive more than ever. We will keep you updated on all future developments. Until then, stay tuned.