Android malware steals your Google Authenticator codes
SonicWall Capture Labs Threat Research team came across a malware campaign that steals device information, card information, and google authenticator code on Android devices. This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their device. This malicious app may use the following icons:
Fig 1: Malware using famous app icons
We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.
Fig 2: Latest sample found on VT
The critical permissions used in these apps are mentioned below:
After installation, it asks the victim to enable the accessibility service. Once this option is enabled it becomes difficult to uninstall the application from the device.
Fig 3: Installed malicious app
Fig 4: Accessibility permission
The malicious application connects to the Command-and-Control server and receives commands to execute operations accordingly, as shown in the image below:
In web data, it creates a database where it stores the victim’s personal information and card details.
Fig 6: Database created for storing information
Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.
Fig 7: Stealing Google authenticator code
This malware also sends details of current location of the victim to its remote C&C server.
This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.
Fig 9: Malware capture screenshots
It stores C&C server’s details like Host address (192.168.110.93) and port number (33660) in base64 encoded form.
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):