The malware was able to steal SMS codes for 2FA Google accounts. Telegram and other social networks are also under threat.
Security experts at Check Point said an Iranian hacking group has developed Android malware that can intercept two-factor authentication (2FA) codes sent via SMS.
The malware was part of an arsenal of hacking tools developed by a hacker group the company called Rampant Kitten.
Check Point says the group has been active for at least six years and is involved in an ongoing surveillance operation against Iranian minorities, anti-government organizations and resistance movements such as:
- Association of Camp Ashraf Families and Freedom Residents (AFALR)
- Azerbaijan National Resistance Organization
- people of Balochistan
Hackers use a wide range of malware, including four variants of infostealers for Windows and an Android backdoor disguised inside malicious apps.
Windows malware was mainly used to steal personal documents as well as files from the Telegram desktop client for Windows, which would allow hackers to access the victim’s Telegram account.
In addition, Windows malware also stole files from the KeePass password manager. This is in line with the description of functionality in a joint CISA-FBI alert on Iranian hackers and their malware published earlier this week.
App to bypass 2FA
But while the Rampant Kitten hackers favored Trojans for Windows, they also developed similar tools for Android.
In a report published yesterday, Check Point researchers said they also discovered a powerful Android backdoor developed by the group. The backdoor could steal the victim ‘s contact list and SMS messages, silently activate the microphone, and navigate to phishing pages.
The backdoor also contained scripts specifically designed to steal 2FA codes.
Check Point said the malware will intercept and forward to attackers any SMS containing the string "G-", commonly used to prefix 2FA codes for Google accounts sent to users via SMS.
Rampant Kitten operators are supposed to use Android Trojans to force the device to open a Google phishing page, capture the user’s credentials, and then gain access to the account.
If the victim had two-factor authentication enabled, the code sniffing feature could silently send copies of the two-factor authentication code to attackers, allowing the protection to be bypassed.
Check Point also found evidence that the malware also automatically forwards all incoming SMS messages from Telegram and other social networks. These message types also contain 2FA codes, and it’s highly likely that the group used this feature to bypass 2FA on more than just Google Accounts.
At the moment, the malware masquerades as an app that helps Persian speakers in Sweden get a driver’s license. However, it could also hide inside other apps that target Iranians opposed to the Tehran regime living in Iran and beyond.
While it is generally accepted that government-sponsored hacker groups can usually bypass two-factor authentication anyway, we very rarely get an idea of their tools and how they do it.