It seems like every month there is a new malware outbreak in the Android space. Fake apps run rampant in the store, and with the marketplace eclipsing one million malicious threats last year, the problems keep getting worse. This time, a malware has appeared on the platform that goes after one-time passcodes.
One-time codes are typically used as a secondary level of authentication, to ensure that the device you're trying to log into a service with is indeed yours. They are most commonly used for bank apps, and that's exactly where this malware targets. Symantec says that a malware called Android.Bankosy can be deployed on a device and actually intercept the passcode between the user and the website that sends the code. The Trojan is specifically looking for apps that use the voice codes, and then triggers the app to send the code, wiping any trace of its actions.
From Symantec's blog post, here's how it works in more detail.
So how does Android.Bankosy take advantage of voice-based 2FA? Once the malware is installed on the victim's device, it opens a back door, collects a list of system-specific information, and sends it to the command and control (C&C) server to register the device and then get a unique identifier for the infected device. If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands.
So essentially the malware is working behind the scenes, and can then initiate call forwarding procedures, sending the call containing the code to whatever number it chooses. This is very serious and again illustrates a big flaw that exists when a space such as this is left wide open.
To protect yourself, Symantec recommend basic common sense practices, but they are worth reiterating. Of course, make sure your software is always up to date. Don't download anything you don't recognize, and make sure apps you download are actually coming from the publisher or developer's official channels; some apps may look very similar but are malicious. Finally, make note of the permissions an app will require. For instance, a flashlight app shouldn't need access to your contacts.