Skip to main content

Android banking trojan steals Google two-factor authentication codes

(Image credit: Shutterstock)

Cerberus, a malware strain targeting Android devices, is now able steal one-time passcodes generated through the Google Authenticator app, security researchers have claimed.

Launched in a bid to improve upon SMS-based one-time passcodes, Google’s app is used as a two-factor authentication (2FA) layer for many online accounts.

Generated on the user’s smartphone, Google Authenticator codes are considered more secure than SMS-based alerts as they do not travel through possibly-vulnerable mobile networks.

However, the latest iteration of the Cerberus banking trojan is capable of circumventing the protection afforded by Google Authenticator, security researchers from ThreatFabric have found.

“Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from the Google Authenticator application,” the team said.

Cerberus malware

The ability to sidestep multi-factor authentication - something very few malware strains have previously been able to execute - would position Cerberus among an elite class of trojans.

According to ThreatFabric, current versions of the banking trojan are already advanced, and exhibit the same qualities found in remote access trojans (RATs) - a highly potent class of malware.

Advanced features allow hackers to remotely connect to an infected device, and use the code-stealing capability to gain entrance to online banking accounts.

Although it’s most likely cybercriminals will use the ability to bypass 2FA to access online banking accounts, there same feature could allow them to infiltrate other types of account protected by Google Authenticator, such as email inboxes.

As it stands, the version of Cerberus capable of stealing 2FA codes has not yet been published to hacking forums, however this isn't to say it will not be at some point in the future.

“We believe this variant of Cerberus is still in the test phase but might be released soon,” warned the ThreatFabric team.

Via ZDNet