{ "id": "34ec8234-0e5e-4bda-bb73-7323f9678fa5", "created_at": "2026-04-06T00:16:17.686762Z", "updated_at": "2026-04-10T03:35:28.929157Z", "deleted_at": null, "sha1_hash": "be6e1a8816dc7e25d635fb86af42cf501967b41c", "title": "Malware sidesteps Google permissions policy with new 2FA bypass technique", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1242829, "plain_text": "Malware sidesteps Google permissions policy with new 2FA bypass\r\ntechnique\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 16:38:58 UTC\r\nESET Research\r\nESET analysis uncovers a novel technique bypassing SMS-based two-factor authentication while circumventing\r\nGoogle’s recent SMS permissions restrictions\r\n17 Jun 2019  •  , 5 min. read\r\nWhen Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the\r\npositive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.\r\nWe have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages\r\nwithout using SMS permissions, circumventing Google’s recent restrictions. As a bonus, this technique also works\r\nto obtain OTPs from some email-based 2FA systems.\r\nThe apps impersonate the Turkish cryptocurrency exchange BtcTurk and phish for login credentials to the service.\r\nInstead of intercepting SMS messages to bypass 2FA protection on users’ accounts and transactions, these\r\nmalicious apps take the OTP from notifications appearing on the compromised device’s display. Besides reading\r\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 1 of 11\n\nthe 2FA notifications, the apps can also dismiss them to prevent victims from noticing fraudulent transactions\r\nhappening.\r\nThe malware, all forms of which are detected by ESET products as Android/FakeApp.KP, is the first known to\r\nsidestep the new SMS permission restrictions.\r\nThe malicious apps\r\nThe first of the malicious apps we analyzed was uploaded to Google Play on June 7, 2019 as “BTCTurk Pro Beta”\r\nunder the developer name “BTCTurk Pro Beta”. It was installed by more than 50 users before being reported by\r\nESET to Google’s security teams. BtcTurk is a Turkish cryptocurrency exchange; its official mobile app is linked\r\non the exchange’s website and only available to users in Turkey.\r\nThe second app was uploaded on June 11, 2019 as “BtcTurk Pro Beta” under the developer name “BtSoft”.\r\nAlthough the two apps use a very similar guise, they appear to be the work of different attackers. We reported the\r\napp on June 12, 2019 when it had been installed by fewer than 50 users.\r\nAfter this second app was removed, the same attackers uploaded another app with identical functionality, this time\r\nnamed “BTCTURK PRO” and using the same developer name, icon and screenshots. We reported the app on June\r\n13, 2019.\r\nFigure 1 shows the first two malicious apps as they appeared on Google Play.\r\nFigure 1. The fake BtcTurk apps on Google Play\r\nThe novel 2FA bypass technique\r\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 2 of 11\n\nAfter installation, both apps described in the previous section follow a similar procedure. In this section of the\r\nblogpost, we will describe the novel 2FA bypass technique using the first app, “BTCTurk Pro Beta”, as an\r\nexample.\r\nAfter the app is launched, it requests a permission named Notification access, as shown in Figure 2. This\r\npermission allows the app to read the notifications displayed by other apps installed on the device, dismiss those\r\nnotifications, or click buttons they contain.\r\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 3 of 11\n\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 4 of 11\n\nFigure 2. The fake app requesting Notification access\r\nThe Notification access permission was introduced in Android version 4.3 (Jelly Bean), meaning almost all active\r\nAndroid devices are susceptible to this new technique. Both fake BtcTurk apps require Android version 5.0\r\n(Lollipop) or higher to run; thus they could affect around 90% of Android devices.\r\nOnce the user grants this permission, the app displays a fake login form requesting credentials for BtcTurk, as\r\nshown in Figure 3.\r\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 5 of 11\n\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 6 of 11\n\nFigure 3. The fake login form displayed by the malicious app\r\nAfter credentials are entered, a fake error message in Turkish is displayed, as seen in Figure 4. The English\r\ntranslation of the message is: “Opss! Due to the change made in the SMS Verification system, we are temporarily\r\nunable to service our mobile application. After the maintenance work, you will be notified via the application.\r\nThank you for your understanding.\"\r\nIn the background, the entered credentials are sent to the attacker’s server.\r\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 7 of 11\n\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 8 of 11\n\nFigure 4. The fake error message displayed by the malicious app\r\nThanks to the Notification access permission, the malicious app can read notifications coming from other apps,\r\nincluding SMS and email apps. The app has filters in place to target only notifications from apps whose names\r\ncontain the keywords “gm, yandex, mail, k9, outlook, sms, messaging”, as seen in Figure 5.\r\nFigure 5. Targeted app names and types\r\nThe displayed content of all notifications from the targeted apps is sent to the attacker’s server. The content can be\r\naccessed by the attackers regardless of the settings the victim uses for displaying notifications on the lock screen.\r\nThe attackers behind this app can also dismiss incoming notifications and set the device’s ringer mode to silent,\r\nwhich can prevent victims from noticing fraudulent transactions happening.\r\nAs for effectiveness in bypassing 2FA, the technique does have its limitations – attackers can only access the text\r\nthat fits the notification’s text field, and thus, it is not guaranteed it will include the OTP. The targeted app names\r\nshow us that both SMS and email 2FA are of interest to the attackers behind this malware. In SMS 2FA, the\r\nmessages are generally short, and OTPs are likely to fit in the notification message. However, in email 2FA,\r\nmessage length and format are much more varied, potentially impacting the attacker’s access to the OTP.\r\nA fast-evolving technique\r\nJust last week, we analyzed a malicious app impersonating the Turkish cryptocurrency exchange Koineks (kudos\r\nto @DjoNn35 for bringing that app to our attention). It is of interest that the fake Koineks app uses the same\r\nmalicious technique to bypass SMS and email-based 2FA but lacks the ability to dismiss and silence notifications.\r\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 9 of 11\n\nAccording to our analysis, it was created by the same attacker as the “BTCTurk Pro Beta” app analyzed in this\r\nblogpost. This shows that attackers are currently working on tuning this technique to achieve the “next best”\r\nresults to stealing SMS messages.\r\nFigure 6. Information about the fake Koineks app on Google Play\r\nHow to stay safe\r\nIf you suspect that you have installed and used one of these malicious apps, we advise you to uninstall it\r\nimmediately. Check your accounts for suspicious activity and change your passwords.\r\nLast month, we warned about the growing price of bitcoin giving rise to a new wave of cryptocurrency malware\r\non Google Play. This latest discovery shows that crooks are actively searching for methods of circumventing\r\nsecurity measures to increase their chances of profiting from the development.\r\nTo stay safe from this new technique, and financial Android malware in general:\r\nOnly trust cryptocurrency-related and other finance apps if they are linked from the official website of the\r\nservice\r\nOnly enter your sensitive information into online forms if you are certain of their security and legitimacy\r\nKeep your device updated\r\nUse a reputable mobile security solution to block and remove threats; ESET systems detect and block these\r\nmalicious apps as Android/FakeApp.KP\r\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 10 of 11\n\nWhenever possible, use software-based or hardware token one-time password (OTP) generators instead of\r\nSMS or email\r\nOnly use apps you consider trustworthy, and even then: only allow Notification access to those that have a\r\nlegitimate reason for requesting it\r\nIndicators of Compromise (IoCs)\r\nPackage name Hash ESET detection name\r\nbtcturk.pro.beta 8C93CF8859E3ED350B7C8722E4A8F9A3 Android/FakeApp.KP\r\ncom.app.btsoft.app 843368F274898B9EF9CD3E952EEB16C4 Android/FakeApp.KP\r\ncom.app.elipticsoft.app 336CE9CDF788228A71A3757558FAA012 Android/FakeApp.KP\r\ncom.koinks.mobilpro 4C0B9A665A5A1F5DCCB67CC7EC18DA54 Android/FakeApp.KP\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access T1475\r\nDeliver Malicious App via\r\nAuthorized App Store\r\nThe malware impersonates legitimate\r\nservices on Google Play.\r\nCredential\r\nAccess\r\nT1411 User Interface Spoofing\r\nThe malware displays phishing activity and\r\nrequests users to log in.\r\nSource: https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nhttps://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/" ], "report_names": [ "malware-google-permissions-2fa-bypass" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434577, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be6e1a8816dc7e25d635fb86af42cf501967b41c.pdf", "text": "https://archive.orkl.eu/be6e1a8816dc7e25d635fb86af42cf501967b41c.txt", "img": "https://archive.orkl.eu/be6e1a8816dc7e25d635fb86af42cf501967b41c.jpg" } }