Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Alan Bavosa
Alan Bavosa
Connect Directly
E-Mail vvv

How Hackers Blend Attack Methods to Bypass MFA

Protecting mobile apps requires a multilayered approach with a mix of cybersecurity measures to counter various attacks at different layers.

Many security experts recommend multifactor authentication (MFA) to prevent unauthorized access to protected accounts. It's a key security measure for mobile apps, but it's not a silver bullet. Hackers are getting better at defeating second- and third-layer security protections like MFA. 

For example, the Iranian hacker group Rampant Kitten targeted Iranian dissidents using malware deposited in the victim's Telegram messaging app, whose MFA was bypassed using previously intercepted SMS codes.

Then there's Cerberus, a Trojan that abuses Android accessibility features like "developer options" and "enable unknown sources" to escalate privileges, enable remote access, and update malware on target systems. Hackers reverse-engineered Google's authentication flow and extracted two-factor authentication credentials from mobile apps to mimic and bypass Google Authenticator. 

Related Content:

7 Mobile Browsers Vulnerable to Address-Bar Spoofing

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

Plus, earlier this year we saw the emergence of the Eventbot malware, which targets mobile banking apps and often masquerades as a well-known app (like Microsoft or Adobe). It can intercept SMS messages to obtain MFA codes for account takeovers and data theft. Newer and more sophisticated variants continue to pop up thanks to auto-update capabilities.

And these are just a few well-known cases. Hackers bypass MFA all the time, often using the following common techniques to attack mobile apps.

Reverse Engineering & Tampering 
Hackers use static and dynamic analysis to understand how apps work and to alter apps in many ways. They use debuggers and emulators to observe how apps function in simulated environments. They use disassemblers and decompilers to obtain source code and understand how it executes. For everything a hacker wants to do, there's five or 10 tools to do it, all freely available.

With the information these tools provide, hackers figure out where apps' weaknesses are and then craft attacks to exploit those weaknesses. For example, using tools like Ghidra, IDA, and others, hackers can execute a class dump and show all third-party libraries in any app. Then they search public data sources (such as MITRE) to find all the bugs and vulnerabilities in those libraries so they can craft an attack that exploits them. And they enhance their attacks by blending attack techniques. The more they know about the app, the more damage they can do.

Transport Layer Attacks and Social Engineering
Hackers alter digital certificates and use them in phishing and man-in-the-middle (MitM) attacks. For example, let's say an attacker intercepts a mobile banking session using an altered certificate to establish connections on both sides (that is, the hacker sits "in the middle" of the user and the bank). Both the bank's server and the mobile user think they are talking to a trusted entity because the certificate appears real, as it's the digital equivalent of a "fake ID."

To appear even more legitimate, hackers often insert a screen overlay, which is a fake copy of the website to which the user thinks he or she is connecting. Then they record the user's keystrokes to intercept the data or trick the user into revealing info to them. That's one of the methods used in the Rampant Kitten example above to get victims to install the malware.

Data Extraction & Credential Theft
Hackers search for unencrypted data stored in many different locations in a mobile app, such as the app sandbox, clipboard, preferences, resources, and strings. Mobile apps also store authentication tokens, cookies, and user credentials in shared storage areas. Hackers can extract this data easily, especially if it's not encrypted or obfuscated. 

Recommendations for Mobile App Developers
Protecting mobile apps requires a multilayered approach with a mix of cybersecurity measures to counter various attacks at different layers.

● Harden apps with anti-tampering, anti-reversing, checksum validation, and jailbreak/root prevention. Build in protection against the common tools that hackers use to study, simulate, and learn about your app and all its components.

● Obfuscate your code for both native and non-native apps, including third-party libraries and your code's logic. This prevents reverse engineering.

● Encrypt sensitive data in all places that it exists. The sandbox is not the only place where data lives. Encrypt strings, data in-app preferences, resources, API keys, and secrets. And never leave sensitive data or artifacts in the clear.

● Protect data in transit: Implement certificate pinning and certificate or certificate authority validation to protect against MitM attacks, phishing, and altered certificates. 

● Consider "in-app" MFA: Developers can strengthen MFA with biometric security by leveraging in-app FaceID/TouchID on a per-app basis. That way, even if the device PIN code or the MFA solution is compromised, the app is still safe. 

Solid security requires a layered defense. MFA is far stronger than a traditional username/password model for authentication, and I encourage its use. But it's insufficient by itself, and lack of app/data protection can actually lead to MFA compromise.

Alan is VP Security Products at Appdome. A longtime product exec and serial entrepreneur, Alan has previously served as chief of product for Palerra (acquired by Oracle) and Arcsight (acquired by HP). View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/12/2020 | 12:27:30 AM
Re: I don't trust apps
Because of course you know who develops web applications - you know them all, one by one.
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-28
IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 186509.
PUBLISHED: 2021-01-28
IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker co...
PUBLISHED: 2021-01-28
A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can...
PUBLISHED: 2021-01-28
Cross-site scripting vulnerability in Aterm WF800HP firmware Ver1.0.9 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
PUBLISHED: 2021-01-28
Cross-site request forgery (CSRF) vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.