In a blog post, researcher Lukas Stefanko said the new malicious apps were able to access one-time passwords in SMS two-factor messages without using any SMS permissions.
"As a bonus, this technique also works to obtain OTPs from some email-based 2FA systems," he said.
The apps were built to pass as the Turkish cryptocurrency exchange BtcTurk and used phishing to obtain login credentials to the exchange. Rather than intercept an SMS to bypass 2FA protection, the apps took the OTP from notifications that appeared on the display of a compromised display.
The two apps seen in the Play Store.
A second app was uploaded four days later, with a subtle difference; the name was BtcTurk Pro Beta and the developer's name was given as BtSoft. This app was reported to Google on 12 June before even 50 users could install it.
Stefanko said once either app was launched, it asked for a permission named Notification access (right). "This permission allows the app to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain," he added.
Once this was granted, the app showed a fake login asking for credentials to log in to BtcTurk. Once these were entered, they were sent to attacker's server, and a fake error message in Turkish displayed on the device.
Stefanko said users could avoid getting caught by apps of this kind by trusting cryptocurrency-related and other finance apps only if they were linked from the official website. Another tip he offered was to only allow Notification access to those apps that had a legitimate reason for requesting it.
Screenshots: courtesy ESET