Mitigating MFA bypass attacks: 5 tips for developers
App developers have enough reasons to integrate multi-factor authentication (MFA) into their offerings. Passwords just don’t do the trick, as they’re vulnerable to brute force and can be stolen with basic tools such as screen grabbers.
But while MFA offers enhanced security by asking users to authenticate in various ways, it’s not a cure-all for the app security problem. Hackers are using sophisticated techniques to bypass second- and third-layer security defenses and gain access to user accounts.
Recent MFA bypass cases
In March of 2020, the mobile industry witnessed the emergence of Eventbot, a sophisticated Android-based Trojan that can intercept MFA codes sent to a mobile device via SMS. Eventbot targets users of different financial applications, including money transfer services, online banking and cryptocurrency wallets. Auto-updates means new and more advanced variants are expected to pop up as hackers attempt to breach mobile systems.
Even the codes generated via authenticator apps are at risk. Security researchers from mobile security company ThreatFabric say that an Android malware strain called Cerberus can extract MFA credentials from the Google Authenticator application. Cerberus can obtain the interface’s content and send it to the command-and-control server controlled by the adversary. Abusing accessibility privileges, the malware allows hackers to remotely connect to a device and reverse-engineer the authenticator app to bypass MFA security protections on app accounts.
And let’s not forget that there are hacking groups out there developing malware to bypass multi-factor authentication protection. One example is Rampant Kitten, an Iranian hacker group that uses malware designed to look for SMS messages containing a “G” string, which is the prefix companies use as part of the MFA process. The malware is disguised as a legitimate Android app but serves as a backdoor that allows hackers into the user’s device. Once installed, it starts collecting SMS information and relays the data to a command-and-control server.
Common techniques to bypass MFA
Besides malware, hackers may use the following techniques to bypass MFA in mobile apps.
Apps using OAuth integration enable users to access their account using a third-party login. This means you’ll get an alternative way to log into an app, which can involve using your Gmail or Facebook account. Smart hackers take the time to research which apps require third-party site verification and then use social engineering to extract user credentials for those sites. The technique allows them to bypass MFA without having to tamper with it directly.
Adversaries use decompilers and disassemblers to access and understand how certain apps function, which allows for a broad range of attacks. With the information provided by these tools, they identify the vulnerable endpoints and then craft sophisticated attacks to exploit those areas.
For example, using frameworks like MobSF, hackers can reverse-engineer an app’s bytecode or binary code and evaluate it in a simulated environment. The static analysis would allow them to extract things like API keys to perform further evaluation that could reveal more attack vectors in the app. The more they learn about the app, the more harm they can cause.
This is where hackers reverse-engineer mobile apps that integrate MFA and use malware to extract their authentication cookies, tokens and user credentials. Adversaries mostly search for unencrypted data stored in various locations inside the apps, such as in the app preferences, clipboard, strings, and sandbox. Android apps are especially at risk since they’re known to house data that isn’t obfuscated or encrypted.
Although various social engineering techniques are available to bypass MFA security, hackers commonly leverage reverse proxies like Modlishka and evilginx2. These MITM (man-in-the-middle) frameworks sit between the device and the remote server to intercept credentials. And hackers often use compromised certificates to make the remote server and the device owner think they are communicating with a legitimate entity. Once authenticated, hackers collect session tokens and user credentials for account hijacking and other attacks.
How to mitigate MFA security risks
The fact that MFA is vulnerable to hacking shouldn’t prevent you from integrating it into your apps. It’s a fantastic authentication method that makes various mobile app attacks difficult to execute. Plus, there are ways you can mitigate MFA security risks. Here are some measures you can immediately take:
- Obfuscate the code: Obfuscation makes an app display incomprehensible or meaningless code to a hacker, making it difficult to reverse-engineer. Make sure to obfuscate your code’s logic for third-party libraries, as well.
- Use hardware security keys: Use security keys like Yubico where possible. These don’t work with reverse proxies and will mitigate the attack courtesy of the U2F binding implementation (it implies that only a legitimate site can authenticate a session with the key, and the authentication attempt will fail on a fake website).
- Harden apps: Consider techniques like anti-debugging, checksum validation and anti-tampering to make it difficult for hackers to clone or reverse the apps. It’s also a good idea to run anti-sandboxes and anti-emulators by checking for artifacts (processes, files and so on) to prevent hackers from learning about your app.
- Encrypt every dataset: Go beyond the sandbox and encrypt data in-app preferences, API keys, resources, libraries and strings. Avoid leaving data in the open.
- Use non-SMS MFA: Push notifications and FIDO2 are some of the more secure versions of MFA. Other options include requiring a Touch ID or Face ID verification inside the app. Avoid using MFA that relies on SMS to authenticate user accounts.
To ensure user safety, mobile app developers need to be aware of the different MFA attack techniques and take relevant protection measures. Hardening apps and integrating secondary factors, such as hardware security keys and Face ID verification, can provide an extra layer of security to the user.
Even though MFA is the final line of defense for authentication, it shouldn’t be trusted as such, and fortifying the infrastructure around MFA should be high on your priority list.
Cerberus – A new banking Trojan from the underworld, Threat Fabric
Rampant Kitten ‘s arsenal includes Android malware that bypasses 2FA, Security Affairs
Code Obfuscation and Hardening for Mobile Apps, Guardsquare
The Modlishka Phishing Tool and MFA: What You Need to Know, Ping Identity