Given the amount of Android malware I analyze who read 2FA codes, I wonder how secure the feature is now [on a smartphone].
In the screenshots below, the malware reads 2nd factor codes via accessibility tweaks, retrieves the value, encrypts them with RC4 and sends that to a REST API on a remote C2. This is a sample of Android/SOVA.
Conclusion: 2FA don't "work" on a device which can be compromised.
@cryptax Does the "screenshot prevention" stuff help at all there? Like using a OTP app that sets the Android feature to block screenshots. I don't know much about the accessibility APIs, and whether that is affected.
@eighthave I'll give it a try (on an emulator ;P) but I don't think the screenshot will show anything particular to detect the first screen is not the real banking app.
@cryptax Is the malware using accessibility tweaks to read SMS/email/etc 2FA codes? Or can it also read 2FA codes from OTP apps like Aegis Authenticator, andOTP, or Google Authenticator? I meant that OTP apps could maybe have a setting to enable blocking the accessibility methods for reading.
@eighthave difficult to "block accessibility" because people with handicaps legitimately need it...
@cryptax right I get that. I'm thinking that a security-sensitive app like Aegis could have a setting to let the user disable the accessibility stuff.
@eighthave yes they're using accessibility to read 2fa, often from known apps like Google authenticator, or just SMS.