Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Alan Bavosa
Alan Bavosa
Connect Directly
E-Mail vvv

How Hackers Blend Attack Methods to Bypass MFA

Protecting mobile apps requires a multilayered approach with a mix of cybersecurity measures to counter various attacks at different layers.

Many security experts recommend multifactor authentication (MFA) to prevent unauthorized access to protected accounts. It's a key security measure for mobile apps, but it's not a silver bullet. Hackers are getting better at defeating second- and third-layer security protections like MFA. 

For example, the Iranian hacker group Rampant Kitten targeted Iranian dissidents using malware deposited in the victim's Telegram messaging app, whose MFA was bypassed using previously intercepted SMS codes.

Then there's Cerberus, a Trojan that abuses Android accessibility features like "developer options" and "enable unknown sources" to escalate privileges, enable remote access, and update malware on target systems. Hackers reverse-engineered Google's authentication flow and extracted two-factor authentication credentials from mobile apps to mimic and bypass Google Authenticator. 

Related Content:

7 Mobile Browsers Vulnerable to Address-Bar Spoofing

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

Plus, earlier this year we saw the emergence of the Eventbot malware, which targets mobile banking apps and often masquerades as a well-known app (like Microsoft or Adobe). It can intercept SMS messages to obtain MFA codes for account takeovers and data theft. Newer and more sophisticated variants continue to pop up thanks to auto-update capabilities.

And these are just a few well-known cases. Hackers bypass MFA all the time, often using the following common techniques to attack mobile apps.

Reverse Engineering & Tampering 
Hackers use static and dynamic analysis to understand how apps work and to alter apps in many ways. They use debuggers and emulators to observe how apps function in simulated environments. They use disassemblers and decompilers to obtain source code and understand how it executes. For everything a hacker wants to do, there's five or 10 tools to do it, all freely available.

With the information these tools provide, hackers figure out where apps' weaknesses are and then craft attacks to exploit those weaknesses. For example, using tools like Ghidra, IDA, and others, hackers can execute a class dump and show all third-party libraries in any app. Then they search public data sources (such as MITRE) to find all the bugs and vulnerabilities in those libraries so they can craft an attack that exploits them. And they enhance their attacks by blending attack techniques. The more they know about the app, the more damage they can do.

Transport Layer Attacks and Social Engineering
Hackers alter digital certificates and use them in phishing and man-in-the-middle (MitM) attacks. For example, let's say an attacker intercepts a mobile banking session using an altered certificate to establish connections on both sides (that is, the hacker sits "in the middle" of the user and the bank). Both the bank's server and the mobile user think they are talking to a trusted entity because the certificate appears real, as it's the digital equivalent of a "fake ID."

To appear even more legitimate, hackers often insert a screen overlay, which is a fake copy of the website to which the user thinks he or she is connecting. Then they record the user's keystrokes to intercept the data or trick the user into revealing info to them. That's one of the methods used in the Rampant Kitten example above to get victims to install the malware.

Data Extraction & Credential Theft
Hackers search for unencrypted data stored in many different locations in a mobile app, such as the app sandbox, clipboard, preferences, resources, and strings. Mobile apps also store authentication tokens, cookies, and user credentials in shared storage areas. Hackers can extract this data easily, especially if it's not encrypted or obfuscated. 

Recommendations for Mobile App Developers
Protecting mobile apps requires a multilayered approach with a mix of cybersecurity measures to counter various attacks at different layers.

● Harden apps with anti-tampering, anti-reversing, checksum validation, and jailbreak/root prevention. Build in protection against the common tools that hackers use to study, simulate, and learn about your app and all its components.

● Obfuscate your code for both native and non-native apps, including third-party libraries and your code's logic. This prevents reverse engineering.

● Encrypt sensitive data in all places that it exists. The sandbox is not the only place where data lives. Encrypt strings, data in-app preferences, resources, API keys, and secrets. And never leave sensitive data or artifacts in the clear.

● Protect data in transit: Implement certificate pinning and certificate or certificate authority validation to protect against MitM attacks, phishing, and altered certificates. 

● Consider "in-app" MFA: Developers can strengthen MFA with biometric security by leveraging in-app FaceID/TouchID on a per-app basis. That way, even if the device PIN code or the MFA solution is compromised, the app is still safe. 

Solid security requires a layered defense. MFA is far stronger than a traditional username/password model for authentication, and I encourage its use. But it's insufficient by itself, and lack of app/data protection can actually lead to MFA compromise.

Alan is VP Security Products at Appdome. A longtime product exec and serial entrepreneur, Alan has previously served as chief of product for Palerra (acquired by Oracle) and Arcsight (acquired by HP). View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/12/2020 | 12:27:30 AM
Re: I don't trust apps
Because of course you know who develops web applications - you know them all, one by one.
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-02
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is &...
PUBLISHED: 2021-03-02
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user expect that accessing...
PUBLISHED: 2021-03-02
matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messag...
PUBLISHED: 2021-03-02
Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later.
PUBLISHED: 2021-03-02
A buffer overflow vulnerability in the AT command interface of Gigaset DX600A v41.00-175 devices allows remote attackers to force a device reboot by sending relatively long AT commands.