Android malware can steal Google Authenticator 2FA codes

[silversurfer]

Content source

https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/

Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that's used as a two-factor authentication (2FA) layer for many online accounts.

In a report published this week, security researchers from Dutch mobile security firm ThreatFabric say they've spotted an Authenticator OTP-stealing capability in recent samples of Cerberus, a relatively new Android banking trojan that launched in June 2019.

"Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application," the ThreatFabric team said.
"When the [Authenticator] app is running, the Trojan can get the content of the interface and can send it to the [command-and-control] server," they added.
"We believe that this variant of Cerberus is still in the test phase but might be released soon," researchers said.

ThreatFabric report that summarizes all the recent remote access-related upgrades detected in Android malware strains. The report contains additional insights about other Android malware operations, such as Gustuff, Hydra, Ginp, and Anubis.

 

[upnorth]

Nice report/s created by ThreatFabric.

Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information (such as but not limited to: credit card information, banking credentials, mail credentials) and Cerberus is no exception. In this particular case, the bot abuses the accessibility service privilege

Cerberus - A new banking Trojan from the underworld

New Cerberus Android banking Trojan joins the threat-landscape at the moment that the banking malware rental business has no more leader. Read what to expect next.

www.threatfabric.com

 

[Outpost]

Interesting, but a non-indifferent interaction of the victim is required. First, the malware has to get into the system. From where? Unknown origins? In this case, it is a serious user mistake. After installation, the malware asks for accessibility privileges. Even in this case, the user who grants them makes the second serious mistake. Subsequently, the malware launches TeamViewer (here it is not clear whether it must already be installed on the victim's device). Then the overlay prompts you to enter the unlock PIN. By misusing the privileges (granted by the victim), the 2FA codes of Google Authenticator (which must be active at that time) can be stolen (it is to be understood if an Authenticator bug is brought in. - the App has not been updated since 2017)

 

[upnorth]

Great catch! I mean that Google Authenticator haven't been updated since 2017. Makes me glad I never installed it. Feels like a possible abandonware nowadays and I did a small search and found Google has another 2FA app project that looks much better. I have no idea why that aren't propagated/advertised or I simply haven't seen the ads.

The Only Full-Stack Identity & Access Management Solution

saaspass.com

What I could conclude from the report, the researcher got hold of a sample that has not been released yet. Exactly how etc, is not included.

This new Cerberus variant has undergone refactoring

Until now, the end of February 2020, no advertisement for these features has yet been made in underground forums. Therefore, we believe that this variant of Cerberus is still in the test phase but might be released soon.

Also the TeamViewer connection was/is in the case it's actually available on the system = installed. If not TeamViewer the developers for sure can code it to open/start any other Remote Manager. VNC and RAdmin is mentioned.

it can also launch TeamViewer and setup connections to it

That it's used against Googles Authenticator, again I interpret as one app that's tested. Can't say for sure but got a feeling even if it's an outdated app, that in some parts of the world this malware would work better. Brazil seems extra hard attacked from Banking malware and I'm not sure if it's their infrastructure that attract or.

Palo Alto Networks Unit 42 presented 2017 a report on a overlay attacking malware called " Cloak and Dagger ". If curious I highly recommend read that as it also contains a demonstration video.

Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions

Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the “Toast type” overlay.

unit42.paloaltonetworks.com

 

[Outpost]

@upnorth

I don't know if SAASPASS is actually a Google project. However, if you have to choose an app for 2FA access you have a fair choice. For example, I also use Authy for authentication to Google itself.

 

[upnorth]

I mixed up what simply is written for all apps on Google Play. " Offered By Google Commerce Ltd ".

SAASPASS Authenticator 2FA App - Apps on Google Play

SAASPASS Secure Single Sign-on & Multi Factor Authentication

play.google.com

Authy I heard about.

 

[Outpost]

You are right. I hadn't gone down to the bottom of the page.

 

[silversurfer]

@upnorth

I don't know if SAASPASS is actually a Google project. However, if you have to choose an app for 2FA access you have a fair choice. For example, I also use Authy for authentication to Google itself.

Same here, I'm using Authy or even Microsoft-Authenticator, both working for 2FA into Gmail account.

 

[Outpost]

Same here, I'm using Authy or even Microsoft-Authenticator, both working for 2FA into Gmail account.

By now I use 2FA everywhere I can: Microsoft, Google, Mega, Bitwarden, Amazon, etc. etc. Also MT

 

[silversurfer]

Google could have fixed 2FA code-stealing flaw in Authenticator app years ago

Google Authenticator app lets other apps take screenshots of its code. Issue was first reported to Google in October 2014, but it was never addressed.

www.zdnet.com