Android malware defeats two-factor authentication
Mon 18 Jan 2016

A malware program discovered by Symantec, called Android.Bankosy, can intercept one-time passwords commonly used as a second layer of protection in online financial transactions.
Two-factor authentication is a system of identification where, after a user has entered a password for an online transaction they are sent a one time password (or OTP), usually by SMS text. Continuing with the transaction would require that the user have access to the physical device that received the text, providing an extra security measure for financial information. Even if the password has been cracked, a third party must have the OTP to complete the transaction or access financial information.
Symantec first discovered Android.Bankosy back in July of 2014. It was a malware program that once installed on an Android smartphone could intercept SMS OTPs, allowing a third party access to the one-time password and defeating the second layer of protection in two-factor authorization.
In response, Symantec released anti-virus protection against Android.Bankosy and monitored the updates to the malware in order to keep the anti-virus updated. Financial institutions took note as well, and some changed their two-factor authentication to include a voice call rather than an SMS message, to relay the one-time password to the user. This would eliminate the threat of the password being intercepted – or so it was thought.
This week, Symantec reported a new functionality in the updated version of Android.Bankosy, which can intercept one-time passwords delivered by voice calls.
Once installed on a device, Android.Bankosy creates a back door that opens communication with a command and control server. Once the command and control server has user identification information – the first factor in two-factor authorization – it can set up unconditional call forwarding. Then it can initiate a financial transaction and the call with the one-time password goes straight to the third party. According to the Symantec security blog, “the back door also has support for disabling and enabling silent mode in addition to locking the device, so that the victim is not alerted during an incoming call.”
As always, the best protection against malware is to keep your software up to date, only download programs from trusted sources, and be sure to have a reliable mobile security app installed and updated on your device.