Given the amount of Android malware I analyze who read 2FA codes, I wonder how secure the feature is now [on a smartphone].

In the screenshots below, the malware reads 2nd factor codes via accessibility tweaks, retrieves the value, encrypts them with RC4 and sends that to a REST API on a remote C2. This is a sample of Android/SOVA.

Conclusion: 2FA don't "work" on a device which can be compromised.

@cryptax Does the "screenshot prevention" stuff help at all there? Like using a OTP app that sets the Android feature to block screenshots. I don't know much about the accessibility APIs, and whether that is affected.

@eighthave I'll give it a try (on an emulator ;P) but I don't think the screenshot will show anything particular to detect the first screen is not the real banking app.

@cryptax Is the malware using accessibility tweaks to read SMS/email/etc 2FA codes? Or can it also read 2FA codes from OTP apps like Aegis Authenticator, andOTP, or Google Authenticator? I meant that OTP apps could maybe have a setting to enable blocking the accessibility methods for reading.