Google’s poor design decision undermines 2FA protection

A design decision by Google can be exploited by attackers to gain control of both devices needed to access users’ accounts protected via SMS-based 2-factor authentication.

This feature, which is considered a security flaw by the three researchers from VU University Amsterdam who discovered the potential problem, has still not been changed by Google, even though they have been notified of it in 2014.

The researchers dubbed the vulnerability BAndroid (Browser-to-Android).

“If attackers have control over the browser on the PC of a user using Google services (like Gmail, Google+, etc.), they can push any app with any permission on any of the user’s Android devices, and activate it – allowing one to bypass 2-factor authentication via the phone. Moreover, the installation can be stealthy (without any icon appearing on the screen),” they explained.

“Assume a cyber criminal with a financial incentive. He used to be able to instruct his malware to target Internet banking users to transfer funds to an account that is under his control. Due to the deployment of two-factor authentication he can no longer do this, as he cannot intercept transaction codes and thus experiences a declining profit. However, with the technique we describe, attackers can regain full control over the user’s actions: they can take control over the phone and conveniently intercept transaction codes sent via text message and so complete the fraudulent transactions.”

Google says that such an attack is impossible, as Google Bouncer spots malicious mobile apps that can intercept messages with the second authentication factor, and prevents them from being offered for download on Google Play.

But Bouncer has been bypassed many times before, and this group of researchers claims that they have been very successful in publishing shady apps on Google Play (even though they declined to publicly share their methods for now).

They say that regular users are unlikely to spot newly downloaded and installed malicious apps on their phones, unless they happen to check their phone during the process or later check the phone’s notification area.

The researchers say Google does not consider this to be a security issue, and doesn’t have plans to fix it, even though the fix is supposedly as simple as moving the app installation process to the mobile device instead of handling it in the browser.

“Usability and the desire to synchronize everything has become more important than security,” the researchers concluded.

For more information about the feature/flaw and how it can be exploited, go here, or check out this video by Victor van der Veen (one of the researchers):