A new Android malware strain can extract and steal one-time passcodes (OTP) generated through Google Authenticator which is a mobile app used as a two-factor authentication (2FA) layer for many online accounts.
The Authenticator mobile app was launched by Google in 2010. The app generates six to eight-digits-long unique codes which are to be entered by the users in the login forms when they access online accounts.
Google launched Authenticator is an alternative to SMS-based one-time passcodes. Online accounts using Authenticator codes as 2FA layers were considered more secure than those protected by SMS-based codes because the Google Authenticator codes are generated on a user’s smartphone and it does not require to pass through insecure mobile networks.
The security researchers from Dutch mobile security firm ThreatFabric published a report which states that they have found an Authenticator OTP-stealing capability in recent samples of a new Android banking trojan named Cerberus which was launched in June 2019.
By misusing the Accessibility privileges, the Trojan is able to steal 2FA codes from Google Authenticator application.
The researchers said that while the app is running, the Trojan can get the content of the interface and send it to the command-and-control server.
However, they said that this new feature is not yet live in the Cerberus version advertised and sold on hacking forums.
They believe that the new variant of Cerberus is still in the test phase and might be released in the future.
But it is also important to note that the current versions of the Cerberus banking trojan are very advanced. Cerberus now has the same features that are found in remote access trojans (RATs.
The RAT features let Cerberus operators to remotely connect to an infected device, use the owner’s banking credentials to access an online banking account, and then use the Authenticator OTP-stealing feature to bypass 2FA protections on the account.
The researchers believe that the new Cerberus malware will also make use of this feature to bypass Authenticator-based 2FA protections on online banking accounts.