Quote:Researchers monitoring malware that affects Android devices discovered malicious apps that can steal one-time passwords (OTP) from the notification system. This development bypasses Google's ban on apps that access SMS and call logs without justification.
 
Google enforced the restriction earlier this year specifically to lower the risk of sensitive permissions where they are not necessary. In theory, this also translated into stronger protection for two-factor authentication (2FA) codes delivered via the short message service.
 
Cybercriminals found a way around this limitation and instead tap into the notifications to obtain the sensitive information. This method also opens up the door to getting short-lived access codes that are delivered via email.
 
Multiple malicious apps impersonating the Turkish cryptocurrency exchange BtcTurk were uploaded to Google Play between June 7 and June 13. Their purpose was to steal the login credentials to the service, and most likely try them with other services where 2FA protection against unauthorized access may be available. Since access to SMS is not explained by any of their features, the fake apps take another route and request permission to check the notifications and to control them.

"This permission allows the app to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain," says Lukas Stefanko, Android malware researcher at ESET.