2FA Code (Two-factor authentication Code) is one of the most secure ways to protect your accounts and services, and Google Authenticator is arguably the most famous app in consideration.
Unluckily, a new version of Android malware is able to steal 2FA code from Google’s app, according to a report by security firm Threatfabric (via ZDNet). Based on the report, different types of Cerberus banking trojan issued with this ability in January 2020.
“Misusing the Accessibility privileges, the Trojan virus can now also steal 2FA codes from the Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C2 [command and control – ed] server. Once again, we can guess that this functionality will be used to bypass authentication services that rely on OTP codes,” reads a quotation of the report.
Threatfabric notes that the new malware feature isn’t being advertised on underground forums just yet, suggesting that this capability is still in testing. The firm says it still presents a major threat to online banking services. But this could also be a massive threat to other accounts and services that use 2FA, such as email, Google accounts, and more.
Two-factor authentication apps like Google Authenticator are generally considered to be more secure than SMS-based 2FA. 2FA code via text message can be choked, and there have indeed been numerous cases of SIM swap fraud that allows criminal actors to gain these codes.
Nevertheless, we hope to see Google shore up Android’s defenses against this malware, as it likely affects other 2FA apps as well. But hopefully, it doesn’t mean similarly drastic measures like it took with SMS and calling permissions.
Feature Developed For bypassing 2FA Code On Banking Account
All in all, the ThreadFabric team points out that current versions of the Cerberus banking trojan are very advanced. They say Cerberus now includes the same breadth of features usually found in Remote Access Trojans (RATs), a superior class of malware.
These RAT features allow Cerberus operators to remotely connect to an infected device, use the owner’s banking credentials to access an online banking account, and then use the Authenticator OTP-stealing feature to bypass 2FA protections on the account — if present.
ThreatFabric researchers believe the Cerberus trojan will most likely use this feature to bypass Authenticator-based 2FA protections on online banking accounts, however, there’s nothing stopping hackers from bypassing Authenticator-based 2FA on other types of accounts. This includes email inboxes, coding repositories, social media accounts, intranets, and others.
If this feature will work as intended and will ship with Cerberus, this will put the banking trojan in an elite category of malware strains.
The new Cerberus capabilities are detailed in a ThreatFabric report that summarizes all the recent remote access-related upgrades detected in Android malware strains. The report contains additional insights about other Android malware operations, such as Gustuff, Hydra, Ginp, and Anubis.