Android Hack Defeats Two-Factor Protection by Forwarding Voice Calls

By Gary Cutlack on at

Security investigators analysing the various malware threats out there have found a clever new Android exploit, one which is said to have the power to defeat two-factor authentication protocols by forwarding voice calls that contain password information.

It's an update of an existing hack concept. Researchers have previously seen malware with the ability to intercept the SMS passcodes that some two-factor systems use to verify that the person in question is sitting there in real time actually looking at their phone -- this latest enhancement to the malware toolkit sets phones to silent to secretly forward voice messages.

It may work in instances where banks or other security minded institutions and businesses ring a number to deliver a one-time authorisation code by voice. If you're unlucky enough to have the malware known as Android.Bankosy on your phone, it could, perhaps, create a perfect storm of hackery where your verification call is forwarded to hackers, who can then empty your bank account of the entire £12 it contains, perhaps even breaking into your £150 overdraft limit.

Symantec explains how it works, with: "Once the malware is installed on the victim’s device, it opens a back door, collects a list of system-specific information, and sends it to the command and control server to register the device and then get a unique identifier for the infected device. If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands."

[Symantec via The Register]

Want more updates from Gizmodo UK? Make sure to check out our @GizmodoUK Twitter feed, and our Facebook page.