Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Alan Bavosa
Alan Bavosa
Connect Directly
E-Mail vvv

How Hackers Blend Attack Methods to Bypass MFA

Protecting mobile apps requires a multilayered approach with a mix of cybersecurity measures to counter various attacks at different layers.

Many security experts recommend multifactor authentication (MFA) to prevent unauthorized access to protected accounts. It's a key security measure for mobile apps, but it's not a silver bullet. Hackers are getting better at defeating second- and third-layer security protections like MFA. 

For example, the Iranian hacker group Rampant Kitten targeted Iranian dissidents using malware deposited in the victim's Telegram messaging app, whose MFA was bypassed using previously intercepted SMS codes.

Then there's Cerberus, a Trojan that abuses Android accessibility features like "developer options" and "enable unknown sources" to escalate privileges, enable remote access, and update malware on target systems. Hackers reverse-engineered Google's authentication flow and extracted two-factor authentication credentials from mobile apps to mimic and bypass Google Authenticator. 

Related Content:

7 Mobile Browsers Vulnerable to Address-Bar Spoofing

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

Plus, earlier this year we saw the emergence of the Eventbot malware, which targets mobile banking apps and often masquerades as a well-known app (like Microsoft or Adobe). It can intercept SMS messages to obtain MFA codes for account takeovers and data theft. Newer and more sophisticated variants continue to pop up thanks to auto-update capabilities.

And these are just a few well-known cases. Hackers bypass MFA all the time, often using the following common techniques to attack mobile apps.

Reverse Engineering & Tampering 
Hackers use static and dynamic analysis to understand how apps work and to alter apps in many ways. They use debuggers and emulators to observe how apps function in simulated environments. They use disassemblers and decompilers to obtain source code and understand how it executes. For everything a hacker wants to do, there's five or 10 tools to do it, all freely available.

With the information these tools provide, hackers figure out where apps' weaknesses are and then craft attacks to exploit those weaknesses. For example, using tools like Ghidra, IDA, and others, hackers can execute a class dump and show all third-party libraries in any app. Then they search public data sources (such as MITRE) to find all the bugs and vulnerabilities in those libraries so they can craft an attack that exploits them. And they enhance their attacks by blending attack techniques. The more they know about the app, the more damage they can do.

Transport Layer Attacks and Social Engineering
Hackers alter digital certificates and use them in phishing and man-in-the-middle (MitM) attacks. For example, let's say an attacker intercepts a mobile banking session using an altered certificate to establish connections on both sides (that is, the hacker sits "in the middle" of the user and the bank). Both the bank's server and the mobile user think they are talking to a trusted entity because the certificate appears real, as it's the digital equivalent of a "fake ID."

To appear even more legitimate, hackers often insert a screen overlay, which is a fake copy of the website to which the user thinks he or she is connecting. Then they record the user's keystrokes to intercept the data or trick the user into revealing info to them. That's one of the methods used in the Rampant Kitten example above to get victims to install the malware.

Data Extraction & Credential Theft
Hackers search for unencrypted data stored in many different locations in a mobile app, such as the app sandbox, clipboard, preferences, resources, and strings. Mobile apps also store authentication tokens, cookies, and user credentials in shared storage areas. Hackers can extract this data easily, especially if it's not encrypted or obfuscated. 

Recommendations for Mobile App Developers
Protecting mobile apps requires a multilayered approach with a mix of cybersecurity measures to counter various attacks at different layers.

● Harden apps with anti-tampering, anti-reversing, checksum validation, and jailbreak/root prevention. Build in protection against the common tools that hackers use to study, simulate, and learn about your app and all its components.

● Obfuscate your code for both native and non-native apps, including third-party libraries and your code's logic. This prevents reverse engineering.

● Encrypt sensitive data in all places that it exists. The sandbox is not the only place where data lives. Encrypt strings, data in-app preferences, resources, API keys, and secrets. And never leave sensitive data or artifacts in the clear.

● Protect data in transit: Implement certificate pinning and certificate or certificate authority validation to protect against MitM attacks, phishing, and altered certificates. 

● Consider "in-app" MFA: Developers can strengthen MFA with biometric security by leveraging in-app FaceID/TouchID on a per-app basis. That way, even if the device PIN code or the MFA solution is compromised, the app is still safe. 

Solid security requires a layered defense. MFA is far stronger than a traditional username/password model for authentication, and I encourage its use. But it's insufficient by itself, and lack of app/data protection can actually lead to MFA compromise.

Alan is VP Security Products at Appdome. A longtime product exec and serial entrepreneur, Alan has previously served as chief of product for Palerra (acquired by Oracle) and Arcsight (acquired by HP). View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
11/12/2020 | 12:27:30 AM
Re: I don't trust apps
Because of course you know who develops web applications - you know them all, one by one.
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.