Pierluigi Paganini September 18, 2020

Security researchers discovered Android malware capable of bypassing 2FA that was developed by an Iran-linked group dubbed Rampant Kitten

Security researchers from Check Point discovered an Android malware, developed by an Iran-linked group dubbed Rampant Kitten, that is able to bypass 2FA.

Rampant Kitten has been active at least since 2014 and was involved in ongoing surveillance operations against Iranian minorities, anti-regime organizations, and resistance movements.

Some of the organizations targeted by the group are:

• Association of Families of Camp Ashraf and Liberty Residents (AFALR)
• Azerbaijan National Resistance Organization
• Balochistan people

The arsenal of the group included several strains of malware, including an Android backdoor disguised inside malicious apps and four variants of Windows infostealers that were also able to access victims’ Telegram Desktop and KeePass account information.

The report states that among the different attack vectors they have found there are:

• Four variants of Windows infostealers intended to steal the victim’s personal documents as well as access to their Telegram Desktop and KeePass account information
• Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings and more
• Telegram phishing pages, distributed using fake Telegram service accounts

Rampant Kitten also developed an Android backdoor that could steal the victim’s contacts list and SMS messages, record surroundings via the microphone, and show phishing pages.

In order to silently turn on the microphone in a real-time manner, the app needs to have its service running in the background, but this implies that a specific notification is displayed to the users to alert him.

The authors of the malware chose to display the user with a fake notification of “Google protect is enabled“ to circumvent this issue.

Experts discovered that the Android backdoor implements the forwarding of any SMS starting with the prefix G- (The prefix of Google two-factor authentication codes), to a phone number that it receives from the C&C server.

The feature is also able to automatically send all incoming SMS messages from Telegram, and other social network apps, to a phone number under the control of the attackers.

According to the experts, this feature could be used by Rampant Kitten to show a Google phishing page and steal user’s account credentials to access the victim’s account.

If the victim had 2FA enabled, the malware is also able to intercept 2FA SMS and send them to the attackers.

“Following the tracks of this attack revealed a large-scale operation that has largely managed to remain under the radar for at least six years. According to the evidence we gathered, the threat actors, who appear to be operating from Iran, take advantage of multiple attack vectors to spy on their victims, attacking victims’ personal computers and mobile devices.” concludes the report that also includes Indicators of Compromise (IoCs). “Since most of the targets we identified are Iranians, it appears that similarly to other attacks attributed to the Islamic Republic, this might be yet another case in which Iranian threat actors are collecting intelligence on potential opponents to the regiment.”

Pierluigi Paganini

(SecurityAffairs – hacking, Rampant Kitten)

[adrotate banner=”5″]

[adrotate banner=”13″]