Threat Watch

Android App Being used to Power Account Creation Service

Researchers have identified a fake app affecting Android devices on the Google Play store, allowing attackers to use the victims’ devices to generate One Time Passcodes (OTPs). The application already has over 100,000 downloads; the overall rating of the app is a 3.4, many people have left reviews stating the app the does not work as intended. When the app is downloaded, it asks for the victim’s permission to access and read SMS messages, which is not uncommon.  However, once permission is granted, the user is prompted to enter their phone number, after which a fake loading screen appears on the device. Meanwhile, the attackers behind the app are using the phone number for OTP generation for accounts such as Microsoft, Google, Instagram, Telegram, and Facebook.  After some time, the app will shut down and freeze, forcing the victim to uninstall it.

Many users have left reviews stating that after they uninstalled the application, they noticed a lot of messages with OTPs setting up different accounts that they had never signed up for. The threat actor behind this attack is also selling this service to any other threat groups who may need OTPs for fraudulent accounts they are trying to set up.

ANALYST NOTES

Most websites have adopted a mandatory verification through SMS message for account creation and authentication. Because of these requirements, threat groups have had to become crafty, deploying new methods in order to bypass these security features. At first, criminal actors primarily relied upon Google Voice numbers and “burner phone” numbers. However, with websites also advancing, most of those options are no longer valid when setting up an account. Due to the current situation, the only way threat actors can set up fraudulent accounts is by purchasing access to a stolen phone number for which an OTP can be intercepted. Whenever downloading applications from any of the app stores, it is important to understand that some malicious apps may have bypassed security. Reviews of apps should always be read before downloading, and apps that have fewer reviews or downloads should be avoided.

https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/