Android malware can steal Google Authenticator 2FA codes

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that's used as a two-factor authentication (2FA) layer for many online accounts.

In a report published this week, security researchers from Dutch mobile security firm ThreatFabric say they've spotted an Authenticator OTP-stealing capability in recent samples of Cerberus, a relatively new Android banking trojan that launched in June 2019.

"Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application," the ThreatFabric team said.
"When the [Authenticator] app is running, the Trojan can get the content of the interface and can send it to the [command-and-control] server," they added.
"We believe that this variant of Cerberus is still in the test phase but might be released soon," researchers said.
ThreatFabric report that summarizes all the recent remote access-related upgrades detected in Android malware strains. The report contains additional insights about other Android malware operations, such as Gustuff, Hydra, Ginp, and Anubis.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Nice report/s created by ThreatFabric. (y):coffee:
Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information (such as but not limited to: credit card information, banking credentials, mail credentials) and Cerberus is no exception. In this particular case, the bot abuses the accessibility service privilege
 

Outpost

Level 5
Verified
Well-known
Jan 11, 2020
220
Interesting, but a non-indifferent interaction of the victim is required. First, the malware has to get into the system. From where? Unknown origins? In this case, it is a serious user mistake. After installation, the malware asks for accessibility privileges. Even in this case, the user who grants them makes the second serious mistake. Subsequently, the malware launches TeamViewer (here it is not clear whether it must already be installed on the victim's device). Then the overlay prompts you to enter the unlock PIN. By misusing the privileges (granted by the victim), the 2FA codes of Google Authenticator (which must be active at that time) can be stolen (it is to be understood if an Authenticator bug is brought in. - the App has not been updated since 2017)
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Great catch! I mean that Google Authenticator haven't been updated since 2017. Makes me glad I never installed it. Feels like a possible abandonware nowadays and I did a small search and found Google has another 2FA app project that looks much better. I have no idea why that aren't propagated/advertised or I simply haven't seen the ads.

What I could conclude from the report, the researcher got hold of a sample that has not been released yet. Exactly how etc, is not included.
This new Cerberus variant has undergone refactoring
Until now, the end of February 2020, no advertisement for these features has yet been made in underground forums. Therefore, we believe that this variant of Cerberus is still in the test phase but might be released soon.
Also the TeamViewer connection was/is in the case it's actually available on the system = installed. If not TeamViewer the developers for sure can code it to open/start any other Remote Manager. VNC and RAdmin is mentioned.
it can also launch TeamViewer and setup connections to it
That it's used against Googles Authenticator, again I interpret as one app that's tested. Can't say for sure but got a feeling even if it's an outdated app, that in some parts of the world this malware would work better. Brazil seems extra hard attacked from Banking malware and I'm not sure if it's their infrastructure that attract or.

Palo Alto Networks Unit 42 presented 2017 a report on a overlay attacking malware called " Cloak and Dagger ". If curious I highly recommend read that as it also contains a demonstration video.
 
Last edited:

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
@upnorth

I don't know if SAASPASS is actually a Google project. However, if you have to choose an app for 2FA access you have a fair choice. For example, I also use Authy for authentication to Google itself.
Same here, I'm using Authy or even Microsoft-Authenticator, both working for 2FA into Gmail account.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top