So confusing - first - SMS 2FA is usually a backup method - the primary method is using an app to generate the OTP codes. Second - the only way to push and install an app from a browser to an Android phone (with no user intervention) is via the Play Store which does show a notification on the device that 1) it is downloading and 2) it has been installed. Is it man-in-the-middle or is it SMS interception? Next -
"6. What can Google do to fix this?
That is easy: move the app installation process (where the user is prompted to accept the app's permissions) to the mobile device instead of handling it in the browser." (from the linked website) - well there we go then, that's exactly what they did in Marshmallow. Sure it might not be on a huge amount of devices, but there is no feasible way Google could have moved the permissions dialog to the mobile device - though it is worth noting that
"In our version of this attack, we assumed the "allow installation from untrusted sources" option to be enabled: we did not publish the repackaged PayPal app in the Play Store due to legal issues. We also expect that repackaged apps are more likely to be picked up by Bouncer." - well you do get asked to accept permissions when you sideload apps - and it is not possible (nor has it been all the way back to at least Android 2.2) for any app to press the install button in an automated way (which causes problems for users that use apps that use screen overlays - like Twilight)
The important question though - is this actually available in the wild, has anyone ever been infected by this type of malware?
Biting the hand that feeds IT
