A new phishing malware that impersonates BTC Turk crypto exchange is targeting Android users. According to a report by cybersecurity firm ESET, the new malware has managed to sidestep Google\u2019s recent restrictions and can access one-time passwords (OTP) sent via email or SMS. The malware is embedded in apps that impersonate BTC Turk, a Turkish cryptocurrency exchange. The motive of the attackers is to steal credentials to the exchange, the report stated. It does this by accessing the OTP, a randomly-generated password which a user gets to log in to an application on which he\/she has enabled the two-factor authentication (2FA). In March, Google restricted the use of call log and SMS permissions on Android devices, denying attackers the ability to bypass the 2FA system. However, this new malware has found a way to sidestep these restrictions, becoming the first known malware to do so according to the report. Once a user installs the app, in the belief that it\u2019s the legitimate BTC Turk app, it requests for notification access. This allows the attackers to read the notifications displayed by the other apps or even dismiss them. Once the request is granted, the app displays a message in Turkish stating that there\u2019s an error in the SMS Verification system and that once the error is resolved, the user will be notified. In the background, the malicious app is able to read notifications displayed by other apps including email and SMS. The app even has filters so as to target messages with specific keyword such as \u2018mail, SMS, messaging, outlook, yandex,\u2019 and more. The app can access the notifications, regardless of the user\u2019s notification settings. However, the app does have its limits. It can only access whatever is displayed on the notification screen. It\u2019s unable to open a text and thus, if the OTP isn\u2019t on the notifications screen, the app can\u2019t access it. This makes OTPs received via SMS more susceptible to access by the attackers as the messages are short and can fit on the notifications screen unlike those received via email. The malicious app can dismiss notifications once it accesses them, ensuring that the victim doesn\u2019t get to know about the foul play on his\/her account. It also has the ability to silence the victim\u2019s phone, further hiding malicious activities from the victim. Phishing has become common in the crypto industry, especially since the market bounced back in the beginning of the year. As we reported, these scams are evolving quite rapidly, with Ledger, Electrum and MyEtherWallet customers being among those targeted recently. To ensure safety, only download applications that have links to legitimate websites, keep your phone updated and don\u2019t grant access to phone permissions unless you\u2019re certain that an app absolutely needs it, ESET advised.