21 September 2020

Iranian hackers create Android malware that steals 2FA SMS codes


Iranian hackers create Android malware that steals 2FA SMS codes

Researchers have uncovered an ongoing surveillance operation orchestrated by an Iranian hacker group aimed at Iranian dissidents and expatriates. The hacker group, dubbed Rampant Kitten, has been active for at least six years and has been engaged in a cyber espionage campaigns against Iranian minorities, anti-regime organizations, and resistance movements.

"According to the evidence, we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims' personal computers and mobile devices," researchers from Check Point said.

The group’s arsenal includes several variants of Windows infostealers intended to steal the victim’s personal documents as well as access to their Telegram Desktop and KeePass account information, Telegram phishing pages, distributed using fake Telegram service accounts, and Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings via the microphone, and show phishing pages.

The Android malware is disguised as an Android application that ostensibly helps Persian speakers in Sweden get their driver’s license. In order to silently turn on the microphone in a real-time manner, the app needs to have its service running in the background, but this implies that a specific notification is displayed to alert the users.

Once the malware receives the proper command from the C&C server, a user is presented with a Google login page. In order to steal the typed-in credentials, Android’s JavascriptInterface is used, alongside with a timer which periodically retrieves the information from the username and password input fields.

According to the researchers, the Android backdoor implements the forwarding of any SMS starting with the prefix G-, which is the prefix of Google two-factor authentication codes, to a phone number that it receives from the C&C server. Furthermore, all incoming SMS messages from Telegram, and other social network apps, are also automatically sent to the attackers’ phone number.

“Following the tracks of this attack revealed a large-scale operation that has largely managed to remain under the radar for at least six years. According to the evidence we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices”, the researchers said.

“Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regiment.”

Back to the list

Latest Posts

Maze ransomware gang prepares for shut down

Maze ransomware gang prepares for shut down

The Maze group had stopped encrypting new victims in September 2020, and is now trying to get the last payments from their victims.
29 October 2020
Iranian hackers targeted “high profile” security conference attendees

Iranian hackers targeted “high profile” security conference attendees

The attacks involved spoofed emails with invitations ostensibly sent from organizers of the Munich Security Conference and the Think 20 Summit in Saudi Arabia.
29 October 2020
US authorities warn of a global North Korean cyber espionage operation

US authorities warn of a global North Korean cyber espionage operation

The group is focused on gathering intelligence on foreign policy and national security issues related to the Korean peninsula.
29 October 2020