The Researchers also noticed that the malware automatically forwards all incoming SMS messages from Telegram and other social network apps.
Iranian group developed Android malware to steal two-factor authentication codes from SMS messages.
Check Point Research unfolded an ongoing surveillance operation by Iranian entities that have been active for years, mainly targeting Iranian dissidents and expatriates.
The Researchers also noticed that the malware automatically forwards all incoming SMS messages from Telegram and other social network apps.
The malware was once a part of an arsenal of hacking tools developed by a hacker group the company has nicknamed Rampant Kitten.
These campaigns used four variants of Windows info stealers, and Android backdoor that extracts two-factor authentication codes from SMS messages records the phone’s voice surroundings and more.
The hacking group has created malware that allows them to bypass two-factor authentication protections used in Android devices to steal SMS messages that have one-time passwords as well as other data.
If the app is installed on an Android device, it first collects information such as the contact list and previous messages. It can also obtain voice recordings by turning on the microphone and will also call out and connect to a command-and-control server.
According to the report, the malware was designed to look for messages that contain a “G-” string, which is a prefix used by Google as part of a two-factor authentication process. Thus, if a targeted victim uses this protection, then the hackers could capture any one-time passwords sent to the user.
"During our analysis, it was often obvious that this malicious application was still being actively developed, with various assets and functions which were either leftover of previous operations, or not yet utilized," according to the report.
In addition, the Windows malware intended to steal the victim’s documents as well as access to their telegram Desktop and KeePass account information.
The tools and methods have been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organisations and resistance movements such as:
- Association of Families of Camp Ashraf Liberty Residents (AFAR)
- Azerbaijan National Resistance Organisation
- Balochistan people
The CheckPoint also said that this malware which is hidden in an Android app posing as a service to help Persian speakers in Sweden get their driver’s license.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?