Iranian Hacker Group Developed Android Malware To Steal 2FA SMS Codes

Security firm Check Point said it uncovered an Iranian hacking group that has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.

The malware was part of an arsenal of hacking tools developed by a hacker group the company has nicknamed Rampant Kitten.

Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organizations, and resistance movements such as:

• Association of Families of Camp Ashraf and Liberty Residents (AFALR)
• Azerbaijan National Resistance Organization
• the Balochistan people

These campaigns involved the use of a wide spectrum of malware families, including four variants of Windows infostealers and an Android backdoor disguised inside malicious apps.

The Windows malware strains were primarily used to steal the victim's personal documents, but also files from Telegram's Windows desktop client, files that would have allowed the hackers to access the victim's Telegram account.

In addition, the Windows malware strains also stole files from the KeePass password manager, consistent with functionality descript in a joint CISA and FBI alert about Iranian hackers and their malware, issued earlier this week.

Android app with 2FA-stealing capabilities

But while Rampant Kitten hackers favored Windows trojans, they also developed similar tools for Android.

In a report published today, Check Point researchers said they also discovered a potent Android backdoor developed by the group. The backdoor could steal the victim's contacts list and SMS messages, silently record the victim via the microphone, and show phishing pages.

But the backdoor also contained routines that were specifically focused on stealing 2FA codes.

Check Point said the malware would intercept and forward to the attackers any SMS message that contained the "G-" string, usually employed to prefix 2FA codes for Google accounts sent to users via SMS.

The thinking is that Rampant Kitten operators would use the Android trojan to show a Google phishing page, capture the user's account credentials, and then access the victim's account.

If the victim had 2FA enabled, the malware's 2FA SMS-intercepting functionality would silently send copies of the 2FA SMS code to the attackers, allowing them to bypass 2FA.

But that was not it. Check Point also found evidence that the malware would also automatically forwarding all incoming SMS messages from Telegram and other social network apps. These types of messages also contain 2FA codes, and it's very likely that the group was using this functionality to bypass 2FA on more than Google accounts.

While it is widely accepted that state-sponsored hacking groups are usually capable of bypassing 2FA, it is very rare that we get an insight into their tools and how they do it.

Rampant Kitten now joins the ranks of APT20, a Chinese state-sponsored hacking group that was also seen bypassing hardware-based 2FA solutions last year.