New malware impersonates BTC Turk crypto exchange to steal credentials

Getting your Trinity Audio player ready...

A new phishing malware that impersonates BTC Turk crypto exchange is targeting Android users. According to a report by cybersecurity firm ESET, the new malware has managed to sidestep Google’s recent restrictions and can access one-time passwords (OTP) sent via email or SMS.

The malware is embedded in apps that impersonate BTC Turk, a Turkish cryptocurrency exchange. The motive of the attackers is to steal credentials to the exchange, the report stated. It does this by accessing the OTP, a randomly-generated password which a user gets to log in to an application on which he/she has enabled the two-factor authentication (2FA).

In March, Google restricted the use of call log and SMS permissions on Android devices, denying attackers the ability to bypass the 2FA system. However, this new malware has found a way to sidestep these restrictions, becoming the first known malware to do so according to the report.

Once a user installs the app, in the belief that it’s the legitimate BTC Turk app, it requests for notification access. This allows the attackers to read the notifications displayed by the other apps or even dismiss them. Once the request is granted, the app displays a message in Turkish stating that there’s an error in the SMS Verification system and that once the error is resolved, the user will be notified.

In the background, the malicious app is able to read notifications displayed by other apps including email and SMS. The app even has filters so as to target messages with specific keyword such as ‘mail, SMS, messaging, outlook, yandex,’ and more.

The app can access the notifications, regardless of the user’s notification settings. However, the app does have its limits. It can only access whatever is displayed on the notification screen. It’s unable to open a text and thus, if the OTP isn’t on the notifications screen, the app can’t access it. This makes OTPs received via SMS more susceptible to access by the attackers as the messages are short and can fit on the notifications screen unlike those received via email.

The malicious app can dismiss notifications once it accesses them, ensuring that the victim doesn’t get to know about the foul play on his/her account. It also has the ability to silence the victim’s phone, further hiding malicious activities from the victim.

Phishing has become common in the crypto industry, especially since the market bounced back in the beginning of the year. As we reported, these scams are evolving quite rapidly, with Ledger, Electrum and MyEtherWallet customers being among those targeted recently.

To ensure safety, only download applications that have links to legitimate websites, keep your phone updated and don’t grant access to phone permissions unless you’re certain that an app absolutely needs it, ESET advised.