Radhesh Krishnan Konoth and Victor van der Even, two security researchers from the VU University Amsterdam, have just made public a type of attack that could compromise accounts protected with the two-step authentication system. The flaw, which was first discovered in 2014, was already reported to Google, Apple and other services that use this type of security, but so far, none of them believes that such an attack can actually happen.
In case you want more details, here's how the attack takes place. The hackers would first need to have control over the target's PC either by directly accessing it or through a malware that lets them access it remotely. Once the computer has been compromised, the attackers can push malware through iTunes, Play Store or other similar services in a manner that's completely invisible to the victim and without triggering the two-step authentication. In very simple terms, if hackers get a hold of your PC, they can take advantage of the app syncing feature to upload malware into your device as well.
To be perfectly honest, I understand why Google or Apple didn't get scared when they were notified about this flaw. In order for the attackers to succeed they would need control over the victim's PC and, more importantly, the malware-containing app that's being covertly pushed to the device should be on the App Store or Play Store. (Which means that it would have to pass several security checks.) Nonetheless, we've recently seen quite a few cases in which both companies were surprised by infected apps that have been on the respective stores for quite a while, so maybe they should take this possible threat a bit more seriously.
In case the security of your PC is a concern of yours, you might want to read some of our previous stories such as: "Popular Firefox add-ons may compromise your PC's security" or "Bitdefender launched a free tool to help against ransomware".