Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA).
The issue – first reported to Google more than a year ago – revolves around an alleged security weakness rather than a straightforward software vulnerability. The BAndroid vulnerability was presented at the Android Security Symposium in Vienna last September by Victor van der Even of Vrije Universiteit, Amsterdam. In the BAndroid microsite (featuring a video and FAQ), the Dutch researchers explain the cause and scope of the alleged vulnerability.
If attackers have control over the browser on the PC of a user using Google services (like Gmail, Google+, etc.), they can push any app with any permission on any of the user’s Android devices, and activate it – allowing one to bypass 2-factor authentication via the phone.
Read more at The Register