Iranian Hacker Group Developed Android Malware To Steal 2FA SMS Codes

Iranian Hacker Group Developed Android Malware To Steal 2FA SMS Codes

The malware could steal 2FA SMS codes for Google accounts. Also contained vague functionality to do the same for Telegram and various social networks.

Iranian hacker group developed Android malware to steal 2FA SMS codes

Security firm Check Point said it uncovered an Iranian hacking group that has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.

The malware was part of an arsenal of hacking tools developed by a hacker group the company has nicknamed Rampant Kitten.

Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organizations, and resistance movements such as:

Association of Families of Camp Ashraf and Liberty Residents (AFALR)
Azerbaijan National Resistance Organization
the Balochistan people

These campaigns involved the use of a wide spectrum of malware families, including four variants of Windows infostealers and an Android backdoor disguised inside malicious apps.

The Windows malware strains were primarily used to steal the victim’s personal documents, but also files from Telegram’s Windows desktop client, files that would have allowed the hackers to access the victim’s Telegram account.

In addition, the Windows malware strains also stole files from the KeePass password manager, consistent with functionality descript in a joint CISA and FBI alert about Iranian hackers and their malware, issued earlier this week.

Android app with 2FA-stealing capabilities

But while Rampant Kitten hackers favored Windows trojans, they also developed similar tools for Android.

In a report published today, Check Point researchers said they also discovered a potent Android backdoor developed by the group. The backdoor could steal the victim’s contacts list and SMS messages, silently record the victim via the microphone, and show phishing pages.

But the backdoor also contained routines that were specifically focused on stealing 2FA codes.

Check Point said the malware would intercept and forward to the attackers any SMS message that contained the “G-” string, usually employed to prefix 2FA codes for Google accounts sent to users via SMS.

The thinking is that Rampant Kitten operators would use the Android trojan to show a Google phishing page, capture the user’s account credentials, and then access the victim’s account.

If the victim had 2FA enabled, the malware’s 2FA SMS-intercepting functionality would silently send copies of the 2FA SMS code to the attackers, allowing them to bypass 2FA.

But that was not it. Check Point also found evidence that the malware would also automatically forwarding all incoming SMS messages from Telegram and other social network apps. These types of messages also contain 2FA codes, and it’s very likely that the group was using this functionality to bypass 2FA on more than Google accounts.

For now, Check Point said it found this malware hidden inside an Android app masquerading as a service to help Persian speakers in Sweden get their driver’s license. However, the malware could be lurking inside other apps aimed at Iranians opposing the Tehran regime, living in and outside of Iran.

While it is widely accepted that state-sponsored hacking groups are usually capable of bypassing 2FA, it is very rare that we get an insight into their tools and how they do it.

Rampant Kitten now joins the ranks of APT20, a Chinese state-sponsored hacking group that was also seen bypassing hardware-based 2FA solutions last year.


Researchers say the six apps had combined total of 200,000 downloads – and users who installed them should delete them.


How this powerful Android malware stayed hidden for years as it spied on thousands of users
Cybersecurity researchers have unmasked six applications on the Google Play store with a combined total of over 200,000 downloads in yet another example of the highly persistent malware that has been plaguing Android users for the past three years.

Joker malware pretends to be a legitimate app in the Play Store but after installation conducts billing fraud by either sending SMS messages to a premium rate number or using the victim’s account to repeatedly make purchases using WAP billing, which also lines the pockets of Joker’s operators.

The activity occurs behind the scenes and without any input required from the user, meaning they often won’t find out that they’ve been scammed until they receive a phone bill full of additional charges.


Google has removed over 1,700 apps containing Joker malware from the Play Store since 2017, but the malware keeps re-emerging and now six new malicious apps have been identified by researchers at cybersecurity company Pradeo.

Of the six apps uncovered as delivering Joker, one called ‘Convenient Scanner 2’ has been downloaded over 100,000 times alone, while ‘Separate Doc Scanner’ has been downloaded by 50,000 users.

Another app, ‘Safety AppLock’, claims to ‘protect your privacy’ and has been installed 10,000 times by unfortunate victims who will eventually find that the malicious download harms, rather than protects, them.

Two more apps have also received 10,000 downloads each – ‘Push Message-Texting&SMS’ and ‘Emoji Wallpaper’, while one named Fingertip GameBox has been downloaded 1,000 times.

The six apps have now been removed from the Play Store after being disclosed to Google by Pradeo. ZDNet has attempted to contact Google for comment; no response had been received at the time of publication.

Users who have any of the applications on their Android smartphone are urged to remove them immediately.

The six apps are just the latest in a long line of malicious downloads that the group behind Joker – also known as Bread – have attempted to sneak into the Play Store.

A previous blog post by Google’s Android security and privacy team describes Joker as one of the most persistent threats the Play Store faces, with the attackers behind it having “at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected”.

They also note that the sheer number of attempted submissions to the Play Store is one of the reasons it has remained so successful, with up to 23 different apps submitted a day during peak times.


In many cases, the malicious apps have been able to bypass the defences of the Play Store by submitting clean apps to begin with, only to add malicious functionalities at a later date.

“These apps are riddled with permission requests and submitted to Google Play by their developers. They get approved, published and installed by users. Once running on users’ devices, they automatically download malicious code,” Pradeo’s Roxane Suau told ZDNet.

“Then, they leverage their numerous permissions to execute the malicious code. Security checks of these apps’ source code as it is published on the store do not detect the malware, because it’s not there yet,” she added.

Iranian Hacker Group Developed Android Malware To Steal 2FA SMS Codes

The authors of Joker attempt to encourage downloads of the malware by entering fake positive reviews – although many of the apps identified by Pradeo also have many negative reviews by users who’ve fallen victim to the malware, something that users should look out for when downloading apps.

The individual or group behind Joker is highly likely to still be active and attempting to trick more users into downloading malware in order to continue the fraud operation.



dcpb="2686" data-format="lbd:>