Android malware can steal Google Authenticator 2FA codes

[steven36]

A new version of the "Cerberus" Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts.

 

 

Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that's used as a two-factor authentication (2FA) layer for many online accounts.

 

Google launched the Authenticator mobile app in 2010. The app works by generating six to eight-digits-long unique codes that users must enter in login forms while trying to access online accounts.

 

Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user's smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.

Cerberus gets Authenticator OTP-stealing capabilities

In a report published this week, security researchers from Dutch mobile security firm ThreatFabric say they've spotted an Authenticator OTP-stealing capability in recent samples of Cerberus, a relatively new Android banking trojan that launched in June 2019.

 

"Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application," the ThreatFabric team said.

 

"When the [Authenticator] app is running, the Trojan can get the content of the interface and can send it to the [command-and-control] server," they added.

 

ThreatFabric said this new feature is not yet live in the Cerberus version advertised and sold on hacking forums.

 

 

"We believe that this variant of Cerberus is still in the test phase but might be released soon," researchers said.

Feature developed for bypassing 2FA on banking accounts

All in all, the ThreadFabric team points out that current versions of the Cerberus banking trojan are very advanced. They say Cerberus now includes the same breadth of features usually found in remote access trojans (RATs), a superior class of malware.

 

These RAT features allow Cerberus operators to remotely connect to an infected device, use the owner's banking credentials to access an online banking account, and then use the Authenticator OTP-stealing feature to bypass 2FA protections on the account -- if present.

 

ThreatFabric researchers believe the Cerberus trojan will most likely use this feature to bypass Authenticator-based 2FA protections on online banking accounts, however, there's nothing stopping hackers from bypassing Authenticator-based 2FA on other types of accounts. This includes email inboxes, coding repositories, social media accounts, intranets, and others.

 

Historically, very few hacker groups and even fewer malware strains [1, 2] have ever had the ability to bypass multi-factor (MFA) authentication solutions.

 

If this feature will work as intended and will ship with Cerberus, this will put the banking trojan in an elite category of malware strains.

 

The new Cerberus capabilities are detailed in a ThreatFabric report that summarizes all the recent remote access-related upgrades detected in Android malware strains. The report contains additional insights about other Android malware operations, such as Gustuff, Hydra, Ginp, and Anubis.

 

Source

[zanderthunder]

Surprisingly, the report doesn't mention about Google Play Protect feature on detecting and removing this trojan (if it disguised as an app). But nonetheless, I guess the way to keep phone safe is to use reputable 3rd party mobile security app, not rooting the OS and always keeping the Android OS up-to-date.

[duddy]

New Android malware can steal 2FA codes from Google Authenticator

 

Two-factor authentication (2FA) is one of the best ways to protect your accounts and services, and Google Authenticator is arguably the most popular app in this regard.

 

Unfortunately, a new form of Android malware is capable of stealing 2FA codes from Google’s app, according to a report by security firm Threatfabric (via ZDNet). According to the report, a variant of the Cerberus banking trojan emerged with this ability in January 2020.

 

“Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C2 [command and control – ed] server. Once again, we can deduce that this functionality will be used to bypass authentication services that rely on OTP codes,” reads an excerpt of the report.

 

Threatfabric notes that the new malware feature isn’t being advertised on underground forums just yet, suggesting that this capability is still in testing. The firm says it still presents a major threat to online banking services though. But this could also be a massive threat to other accounts and services that use 2FA, such as email, Google accounts, and more.

 

Two-factor authentication apps like Google Authenticator are generally considered to be more secure than SMS-based 2FA. Two factor codes via text message can be intercepted, and there have indeed been numerous cases of SIM swap fraud that allows criminal actors to gain these codes.

 

Nevertheless, we hope to see Google shore up Android’s defenses against this malware, as it likely affects other 2FA apps as well. But hopefully it doesn’t mean similarly drastic measures like it took with SMS and calling permissions.

 

Source

[Karlston]

Similar topic merged from Mobile News.

[duddy]

GOOGLE AUTHENTICATOR APP NO LONGER SAFE THANKS TO NEW MALWARE

 

HIGHLIGHTS

 

• New malware steals 2FA codes from Google Authenticator
• Malware currently only impacts Android devices

 

Two-Factor Authentication (2FA) was the industry’s answer to curbing illegitimate access for online accounts. This was especially the case to prevent bank accounts from being hacked and was eventually utilized by companies like Google, Facebook, Apple etc. Now a new security threat claims to be able to steal 2FA codes from the Google Authenticator.

 

According to Threatfabric, new Android malware is capable of stealing 2FA codes from Google’s app. Typically apps like Google’s 2FA or even Microsoft’s App for that matter are considered safer than the SMS method of receiving 2FA codes. This was because SMS isn’t transmitted over a secure protocol and can be intercepted. Then there’s the additional threat of SIM cloning that has led to multiple counts of banking fraud in the past. Now, it would appear that Google’s 2FA app has also been proven to be vulnerable.

 

According to Threatfabric, the malware is not yet being distributed or advertised on underground forums, suggesting that the hack may still be in testing stages. What we don’t know yet is whether the malware is exploiting something in the Android OS or a weakness in Google’s 2FA app to gain access to the codes. The report only lists the vulnerability to impact Android, meaning iOS users are still secure. This could also mean that the vulnerability exploits a combined vulnerability in Android and the 2FA app. There is also no information on whether the malware would make other 2FA apps vulnerable, but in either case, it is something to be supremely worried about.

 

Source

 

 

[Karlston]

Similar topics merged.