Malware researchers discovered malicious apps that can steal one-time passwords from Android Notifications system. This bypasses Google’s ban on apps that access SMS and call logs without justification. This method also opens up the door to getting short-lived access codes that are delivered via email. The two fake BtcTurk apps run on Android 5.0 (KitKat) and above, which means they could impact up to 90% of Android devices. Another app was discovered last week operating in the same way operating in same way.
Source: https://www.bleepingcomputer.com/news/security/android-malware-bypasses-2fa-by-stealing-one-time-passwords/