New Malware Strain Steals Google Authenticator 2FA Codes From Under Your Nose

  • It can use the owner's banking credentials to access an online banking account.
  • This variant of the Trojan is still in the test phase but might be released soon.

Security experts discovered a new Android malware variant that can extract and steal one-time passcodes (OTP) generated through Google Authenticator.

What happened?
A team of researchers claimed to have spotted an Authenticator OTP-stealing capability in Cerberus, a relatively new Android banking trojan launched last year.

As per reports, current versions of the Cerberus banking trojan possess several advanced capabilities. It abuses the accessibility privileges to steal 2FA codes. When the Authenticator app is opened, it can leak the interface content and can send it to the attacker’s controlled server.

How does Authenticator work?
Google launched the Authenticator mobile app in 2010 as an alternative to SMS-based one-time passcodes.

The app generates six to eight digits long unique codes that users must enter in login forms while attempting to access online accounts.
Since Google Authenticator codes are generated on smartphones, online accounts of the users with 2FA layers are considered more secure than those protected by SMS-based codes.

How The Trojan (in Making) work in tandem with Authenticator?
The new Cerberus variant now includes the same bunch of features usually found in advanced remote access trojans (RATs).

  • It can remotely connect to an infected device.
  • It can use the owner's banking credentials to access an online banking account.
  • It then uses the Authenticator OTP-stealing capability to bypass 2FA protections on the account, if required.

This new feature for stealing 2FA codes is not yet live in the Cerberus version currently being advertised and sold on hacking forums. "We believe that this variant of Cerberus is still in the test phase but might be released soon," researchers presume.

Closing lines
Experts opine that the Cerberus trojan will most likely be used on online banking accounts. Moreover, there's nothing stopping them from bypassing Authenticator-based 2FA on other types of accounts too including emails, code repositories, social media accounts, intranets, and more.