Endpoint Security , Multi-factor & Risk-based Authentication , Security Operations

Hacking Group Used Malware to Bypass 2FA on Android Devices

Check Point: Hackers Used Several Methods to Target Iranian Dissidents
Hacking Group Used Malware to Bypass 2FA on Android Devices
Fake Android app used as a backdoor (Source: Check Point Research)

A recently uncovered hacking group that has targeted Iranian dissidents for several years has developed malware that can bypass two-factor authentication protection on Android devices to steal passwords, according to a paper published by Check Point Research on Friday.

See Also: Revealing the Threat Landscape: 2024 Elastic Global Threat Report

The hacking group, which Check Point researchers call "Rampant Kitten," also has developed other malicious tools used to steal information and personal data from Windows devices and Telegram accounts, according to the report.

The group, active for at least six years, has mainly targeted Iranian dissidents and expatriates, according to the report. Check Point did not indicate whether Rampant Kitten works on behalf of the Iranian government or is conducting these espionage campaigns on its own.

"According to the evidence we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices," Check Point notes.

In other Iran-related developments, the U.S. Justice Department and federal prosecutors recently unsealed a series of indictments concerning Iranian attacks aimed at government agencies and private businesses in the U.S. and other parts of the world (see: 3 Iranian Hackers Charged With Targeting US Satellite Firms).

The Treasury Department also announced economic sanctions aimed at an Iranian advanced persistent threat group, 45 associated individuals and a front company the Iranian government allegedly used to run a yearslong malware campaign that targeted Iranian dissidents (see: US Imposes Sanctions on Iranian APT Group).

The U.S. Cybersecurity and Infrastructure Security Agency also warned of increased hacking activity by an Iranian-connected hacking group called "Pioneer Kitten" that has been taking advantage of vulnerabilities in VPN and other networking products (see: Iranian Hackers Exploiting Unpatched Vulnerabilities).

Bypassing 2FA

As part of its research into the six-year Rampant Kitten campaign, Check Point found the hacking group has created malware that allows it to bypass two-factor authentication protections used in Android devices to steal SMS messages that have one-time passwords as well as other data.

The malware is disguised as a legitimate Android app. If installed, however, it functions as a backdoor that can give access to the device, according to the report. Check Point made one discovery - a malicious app designed to help Iranian citizens get a Swedish driver's license -although the researchers note there could be other malicious apps as well.

If the malicious app is installed on an Android device, it will first collect information such as a list of contacts and previous SMS messages, according to the report. It can also capture voice recordings by turning on the microphone and will also call out and connect to a command and control server.

Phishing page disguised as a legitimate Google message (Source: Check Point Research)

The malware apparently is designed to look for SMS messages that contain a "G-" string, which is a prefix used by Google as part of the two-factor authentication process. If the targeted victim was using this protection, then the hackers could capture any one-time passwords sent to the user as part of that process, according to the report.

Check Point researchers found that the hackers sent phishing emails designed as legitimate Google messages to potential victims with instructions to log into their account. These malicious messages would then capture the victim's credentials and, if the two-factor authentication process was in place, the threat actors could bypass those security protocols as well.

The report notes that, while this malware is actively being used, it appears that hackers continue to refine their malicious code.

"During our analysis, it was often obvious that this malicious application was still being actively developed, with various assets and functions which were either leftovers of previous operations or not yet utilized," according to the report.

By forwarding all SMS messages to the hacking group, Check Point notes, the threat actors could also capture one-time passwords for Telegram and other social media apps.

While two-factor authentication can protect devices and users, security researchers have warned that hacking groups and other cybercriminals are getting better at bypassing these security features. Earlier this week, Kaspersky researchers found that a new version of the Cerberus mobile banking Trojan can now steal two-factor authentication passcodes - even those using Google Authenticator (see: Attacks Using Cerberus Banking Trojan Surge ).

Other Attacks

In addition to the malware used to bypass two-factor authentication, the Check Point researchers note that Rampant Kitten deploys at least four Windows information stealers that can capture a wide range of personal data, including victims' Telegram desktop and KeePass - an open source password manager - account information.

The Check Point researchers also found that the hacking group uses phishing pages, designed to appear like legitimate Telegram messages, that can steal credentials and deliver other malware that can allow attackers to maintain persistence on compromised devices, according to the report.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.