Thanks to Google, Android Two Factor Authentication can be Compromised

By  | 

If you use a smartphone running Android, then it’s time you started paying much more attention to your security. A design flaw has been found in Android’s connection to Google services which allows hackers to install any software they choose on your phone.

The security shortcoming was discovered over a year ago by Dutch researchers, who then warned Google about this security risk. The researchers referred to it as BAndroid (Browser-to-Android), and they released a video and FAQ explaining the security threat.

“In broad strokes, the scenario is as follows. If attackers have control over the browser on the PC of a user using Google services (like Gmail, Google+, etc.), they can push any app with any permission on any of the user’s Android devices, and activate it – allowing one to bypass 2-factor authentication via the phone.”

So if you are using Gmail and open a suspicious link that compromises your Google account, the hackers are then able to use that info to install any app of their choice on your phone. Apps that would be able to circumvent the two-factor authentication security features and perform actions, such as bank transactions to unknown parties.

One of the questions that immediately comes to mind is, if the security flaw requires the hackers to have control of my browser, isn’t it already too late?

The answer, is no. There are many malware programs (that we know of) out on the internet today that can hijack your browser, such as Zeus, SpyEye, Dyre, Dridex, or Carberp. And while it is true that just hacking your Google account gives hackers plenty of opportunities, it would not give them control of your mobile device. This is why two-factor authentication has been so effective until now. Even if the hackers had your password they could not use it since they wouldn’t have the second component, your phone.

And Android users may not be the only ones facing this design flaw. The same research team who discovered BAndroid wrote a paper titled How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication which spoke about the issues such as this, and said that Apple’s Continuity feature which further connects iOS and Mac OS X devices could prove to be just as exploitable.

So far, Google has done nothing to address the issue. If you are worried about your browser’s security, and by extension phone and bank account, the researchers offer a few tips on how to protect yourself.

  • Keep your software up to date.
  • Do not click on unknown or suspicious links.
  • Do not access your Google account from an untrusted machine.

They even recommend what they call a “harsh but very effective approach”. Use two or more Google accounts, one for your PC and the other for your phone. Until this design flaw is dealt with, it might be the only way to ensure your security.