Threat Watch

Iranian Threat Actor using Android Malware to Steal 2FA Codes

Rampant Kitten: The Iranian threat actor Rampant Kitten has developed Android malware that is designed to steal 2-factor Authentication (2FA) codes from text messages. Research from Checkpoint security reported that the group has been active for six years and its main functions include surveillance against Iranian minorities, anti-regime organizations, and resistance movements. The threat actor has primarily utilized Windows trojans, but they have been known to use Android malware as well. In this case, the backdoor that was hidden in an application would steal the victim’s contact list and SMS messages, silently record the victim through the microphone, and show phishing pages. The malware was specifically designed to forward any messages to the threat actor that began with “G-”—which is a typical sign that the message is a 2FA code for Google accounts. Further research also showed that the threat actor was stealing codes from Telegram and other social media applications.

ANALYST NOTES

2FA is an important security control to defend against threat actors using stolen or guessed passwords. Unfortunately, threat actors are getting smarter, and in cases like this, they can use malware to steal the codes that were sent via SMS message. One way to prevent this type of attack is to make sure that all applications that are downloaded come from the Google play store and are created by trusted developers. When setting up 2FA, people can always opt to use an authenticator application on their device instead of SMS, which will help prevent attacks such as these from happening. All accounts should be set up with 2FA and a strong password to have as many layers of protection as possible.

More can be read here: https://www.zdnet.com/article/iranian-hacker-group-developed-android-malware-to-steal-2fa-sms-codes/