silversurfer

Level 59
Verified
Trusted
Content Creator
Malware Hunter
Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that's used as a two-factor authentication (2FA) layer for many online accounts.

In a report published this week, security researchers from Dutch mobile security firm ThreatFabric say they've spotted an Authenticator OTP-stealing capability in recent samples of Cerberus, a relatively new Android banking trojan that launched in June 2019.

"Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application," the ThreatFabric team said.
"When the [Authenticator] app is running, the Trojan can get the content of the interface and can send it to the [command-and-control] server," they added.
"We believe that this variant of Cerberus is still in the test phase but might be released soon," researchers said.
ThreatFabric report that summarizes all the recent remote access-related upgrades detected in Android malware strains. The report contains additional insights about other Android malware operations, such as Gustuff, Hydra, Ginp, and Anubis.
 

upnorth

Level 42
Verified
Trusted
Content Creator
Malware Hunter
Nice report/s created by ThreatFabric. (y):coffee:
Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information (such as but not limited to: credit card information, banking credentials, mail credentials) and Cerberus is no exception. In this particular case, the bot abuses the accessibility service privilege
 

Outpost

Level 5
Verified
Interesting, but a non-indifferent interaction of the victim is required. First, the malware has to get into the system. From where? Unknown origins? In this case, it is a serious user mistake. After installation, the malware asks for accessibility privileges. Even in this case, the user who grants them makes the second serious mistake. Subsequently, the malware launches TeamViewer (here it is not clear whether it must already be installed on the victim's device). Then the overlay prompts you to enter the unlock PIN. By misusing the privileges (granted by the victim), the 2FA codes of Google Authenticator (which must be active at that time) can be stolen (it is to be understood if an Authenticator bug is brought in. - the App has not been updated since 2017)
 

upnorth

Level 42
Verified
Trusted
Content Creator
Malware Hunter
Great catch! I mean that Google Authenticator haven't been updated since 2017. Makes me glad I never installed it. Feels like a possible abandonware nowadays and I did a small search and found Google has another 2FA app project that looks much better. I have no idea why that aren't propagated/advertised or I simply haven't seen the ads.

What I could conclude from the report, the researcher got hold of a sample that has not been released yet. Exactly how etc, is not included.
This new Cerberus variant has undergone refactoring
Until now, the end of February 2020, no advertisement for these features has yet been made in underground forums. Therefore, we believe that this variant of Cerberus is still in the test phase but might be released soon.
Also the TeamViewer connection was/is in the case it's actually available on the system = installed. If not TeamViewer the developers for sure can code it to open/start any other Remote Manager. VNC and RAdmin is mentioned.
it can also launch TeamViewer and setup connections to it
That it's used against Googles Authenticator, again I interpret as one app that's tested. Can't say for sure but got a feeling even if it's an outdated app, that in some parts of the world this malware would work better. Brazil seems extra hard attacked from Banking malware and I'm not sure if it's their infrastructure that attract or.

Palo Alto Networks Unit 42 presented 2017 a report on a overlay attacking malware called " Cloak and Dagger ". If curious I highly recommend read that as it also contains a demonstration video.
 
Last edited:

upnorth

Level 42
Verified
Trusted
Content Creator
Malware Hunter
I mixed up what simply is written for all apps on Google Play. " Offered By Google Commerce Ltd ". :giggle:
Authy I heard about.(y)
 
Last edited:
Top