Security researchers from Check Point discovered an Android malware, developed by an Iran-linked group dubbed Rampant Kitten, that is able to bypass 2FA.
Rampant Kitten has been active at least since 2014 and was involved in ongoing surveillance operations against Iranian minorities, anti-regime organizations, and resistance movements.
Some of the organizations targeted by the group are:
The arsenal of the group included several strains of malware, including an Android backdoor disguised inside malicious apps and four variants of Windows infostealers that were also able to access victims’ Telegram Desktop and KeePass account information.
The report states that among the different attack vectors they have found there are:
Rampant Kitten also developed an Android backdoor that could steal the victim’s contacts list and SMS messages, record surroundings via the microphone, and show phishing pages.
In order to silently turn on the microphone in a real-time manner, the app needs to have its service running in the background, but this implies that a specific notification is displayed to the users to alert him.
The authors of the malware chose to display the user with a fake notification of “Google protect is enabled“ to circumvent this issue.
Experts discovered that the Android backdoor implements the forwarding of any SMS starting with the prefix
G- (The prefix of Google two-factor authentication codes), to a phone number that it receives from the C&C server.
The feature is also able to automatically send all incoming SMS messages from Telegram, and other social network apps, to a phone number under the control of the attackers.
According to the experts, this feature could be used by Rampant Kitten to show a Google phishing page and steal user’s account credentials to access the victim’s account.
If the victim had 2FA enabled, the malware is also able to intercept 2FA SMS and send them to the attackers.
“Following the tracks of this attack revealed a large-scale operation that has largely managed to remain under the radar for at least six years. According to the evidence we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices.” concludes the report that also includes Indicators of Compromise (IoCs). “Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regiment.”
(SecurityAffairs – hacking, Rampant Kitten)