'Cerberus' malware can steal 2FA codes from Google Authenticator
What's the story
Google Authenticator offers a secure way to get codes for two-factor authentication, the technique that protects online accounts from third-party hacks.
The codes verify individual login attempts, but as it turns out, even the Google app is not safe anymore.
A new report has revealed that malware can steal Google Authenticator codes, putting your online accounts directly at risk.
Here's all about it.
Issue
Cerberus banking trojan stealing 2FA codes
As Threatfabric reports, Cerebus, a banking trojan that has existed for months, has been updated with the ability to steal 2FA codes from the Google Authenticator app.
The malware works when Authenticator is running and exploits accessibility privileges to get the entire content interface of the app.
Then, it sends all that data to a C2 or command and control server.
Risk
Once code is stolen, accounts can be compromised
Once a code gets into the hands of an attacker, they can easily use it for breaking into your 2FA-enabled account, be it an online banking account, a Google account, or a social media service like Twitter.
"We can deduce that this functionality will be used to bypass authentication services that rely on OTP codes," Threatfabric said, while highlighting the risk of the trojan.
Test
However, as of now, the malware appears in testing
Though Cerebus has been around for months, its updated variant still appears to be in the development phase.
Specifically, Threatfabric says, the new capability of the banking malware is not being promoted on underground forums, which implies it is either unfinished or still in the testing phase.
However, that might change soon, say by the end of 2020.
Response
No word from Google on the matter
So far, Google has neither commented on the matter nor explained what it is doing to dodge this threat.
Evidently, the malware can compromise other 2FA apps, which means the company needs to make some changes in Android permissions to make sure that the malware is no longer able to take advantage of device privileges for stealing codes.