A variant of the “Cerberus” banking trojan, is capable of interpreting the codes generated by the application of 2FA Google Authentificator. One of the most used two-factor authentication systems on Android.
Two-factor authentication is one of the safest ways to log in to an online account. If this method can resort to sending SMS, generating codes via an application, such as Google Authentificator, is even more secure since no sending of messages (which can potentially be intercepted) is required. Unfortunately for Google, its 2FA application is now vulnerable to malware.
According to a report published recently by Threatfabric security researchers, a variant of the “Cerberus” banking trojan has been able since last January to detect the codes generated by Google Authenticator and to exploit them for malicious purposes. To achieve this, the malware takes advantage of the accessibility features of Android.
“By abusing accessibility privileges, this malware can now steal 2FA codes from the Google Authenticator application. When we launch the application, the malware can obtain the content of the interface and send it to the C2 server (command and control). Once again, it can be inferred that this functionality will be used to bypass authentication services that rely on OTP codes “Reads the report, spotted by ZDNet.
Malware that could also affect other two-factor identification applications
As Threatfabric indicates in its analysis, this new feature of Cerberus does not yet seem to be much talked about on underground forums frequented by hackers, which suggests that it is currently only in the phase of test … and therefore little (or not) exploited in fact. However, it could ultimately represent a major threat to many services using two-factor identification, whether it is simply logging into their Twitter or Google account … or banking services.
Due to its operating mode, the malware could finally relate to other 2FA applications than Google Authenticator. It is, therefore, the responsibility of Google, which must, as soon as possible, strengthen the protections of Android against this type of threat.