In order to protect themselves from hackers, some financial institutions have started using two-factor authentication systems that use deliver one-time passcodes (OTP) through voice calls rather through SMS. But an updated version of a Trojan malware called Android.Bankosy can now steal voice delivered passwords, according to research by security vendor Symantec. Here's how it works.
When the Android.Bankosy malware finds its way on a victim's Android device, it creates a back door and collects system specific information that could allow hackers to take over a number of functions including unconditional call forwarding. Combine this with the ability to turn the compromised phone on silent means attackers can redirect calls surreptitiously.
According to a blog post by Symantec researcher Dinesh Venkatesan:
Once the unconditional call forwarding is set on the victim’s device, the attacker — who has already stolen the victim’s credentials (the first factor in two-factor authentication and authoristion) — can then initiate a transaction. As part of the design, when the system demands the victim to enter the second factor (i.e., the authorisation token sent through a voice call), the attacker will get the call through call forwarding and enter the second factor as well to complete the transaction.
The malware can also wipe data from compromised devices, delete SMS messages and lock screens with hardcoded keyguard.
[Via Symantec Security Blog]