Researchers monitoring malware that affects Android devices discovered malicious apps that can steal one-time passwords (OTP) from the notification system. This development bypasses Google’s ban on apps that access SMS and call logs without justification.

Google enforced the restriction earlier this year specifically to lower the risk of sensitive permissions where they are not necessary. In theory, this also translated into stronger protection for two-factor authentication (2FA) codes delivered via the short message service.

Källa: Android Malware Bypasses 2FA by Stealing One-Time Passwords