WARNING: An Android malware steals Google’s two-factor authentication
When you encounter two-factor authentication, you will immediately think that it is extra safer.
The thing is, not all two-factor authentication or 2FA are created equal. Some, like SMS, are deemed more insecure than others. But, that is still better than having no 2FA at all.
The 2FA is something that is very attainable, there are 2FA apps such as Google Authenticator as the easiest method. Perhaps, it is also one of the most popular.
But what if that 2FA app is discovered to be insecure?
Android users, beware. A security firm has discovered a malware upgrade that can remotely access smartphones and steal 2FA credentials and codes.
Also read: How To Remove Malware From Your Android Phone
What exactly are ‘two-factor authentication’ apps?
Two-factor authentication apps like Google Authenticator, LastPass, and Authy, to name a few, act like password managers except they only generate One-Time Passwords (OTPs) once the app is opened.
These OTPs expire so it can’t be reused or even used after that said period of time. But even these password managers, all security is thrown out of the window when the application itself is compromised.
Related: ‘Agent Smith’ malware infected over 25 million Android devices
But just to be clear though, it is not Google Authenticator itself that is vulnerable to the malware called Cerberus online banking trojan.
Instead, it is a side effect of Android’s Accessibility service that is too powerful and leaks the 2FA codes to hackers.
Throw in the Remote Access Trojan or RAT like Cerberus to that, then you got have got yourself a recipe for a security nightmare.
Cerberus malware can steal 2FA codes from Google Authenticator
Last year, Chinese hackers have successfully managed to bypass 2FA by generating seemingly genuine credentials and codes. After that, an exploit called Cerberus can reportedly steal authentication credentials and codes, which renders 2FA useless.
The security research firm ThreatFabric, and its ability to steal 2FA codes is just a recent addition to the program.
The newest version of Cerberus abuses the Accessibility functionality to read what should be very secure and private contents of Google’s 2FA application.
Also, hackers using this malware could also use the 2FA codes and credentials to log into the victim’s online banking accounts. So, who is to say that the hackers will not go from using non-banking codes to hack the user’s other accounts too.
Thankfully though, Cerberus was a benign piece of malware since its discovery back in July 2019.
Cerberus has all the features of standard banking malware like overlay attacks, SMS control, keylogging, contact list harvesting, and much more.
However, the ability to control a device remotely is one feature that just got added recently. Cerebrus’ developers even advertised the malware on its Twitter page.
This version of Cerberus leverages its ability to control a device remotely to perform a host of sets of new functions. It can now steal information like a screen unlock credentials and 2FA codes generated by Google Authenticator.
Once Cerberus has infected the 2FA app, the malware can get access to its user and send back information to a designated server.
There’s still good news despite the malware threat
Thankfully though, according to ThreatFabric, the RAT feature is not active in the version of Cerberus currently advertised and sold on hacking forums just yet.
But, researchers say that “it might be released soon,” which means it is only a matter of time before hackers can get their hands on the advanced malware.
Considering the new possible threat and its capabilities now’s the time for Android and app developers to update on their security.
Unfortunately, there is nothing much users can do at this point. Researchers remind users to always make sure that security on phones are up to date as soon as they become available.