Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,060
- Points
- 113
ThreatFabric discovered the first ever malware to steal two-factor authentication codes generated by Google Authenticator. The researchers dubbed the malware Cerberus, and its code-stealing feature is still under development and has not yet been used in actual attacks.
Cerberus is a hybrid of a banking Trojan and a Remote Access Trojan (RAT) for Android devices. After infecting a device using banking Trojan functions, the malware steals banking data. In the event that the victim's account is protected using the two-factor authentication mechanism of the Google Authenticator application, Cerberus acts as a RAT and provides its operators with remote access to the device. Attackers open Google Authenticator, generate a one-time code, take a screenshot of it, and then gain access to the victim's account.
Cerberus is not only the first-ever malware to steal two-factor authentication one-time codes. The Trojan uses a very simple technique for this - it creates a screenshot of the Google Authenticator interface.
Researchers at Nightwatch Cybersecurity decided to investigate what exactly Google Authenticator makes possible Cerberus features, in particular the screenshots feature. Android OS allows applications to protect their users from the ability of other applications to take screenshots of their content - for this, the FLAG_SECURE option must be added to the application settings. As it turns out, Google hasn't added this flag to Google Authenticator.
According to researchers at Nightwatch Cybersecurity, Google could have fixed the issue back in 2014 after a GitHub user wrote about it, but didn't. The problem remained unresolved in 2017, when Nightwatch Cybersecurity experts reported it to the company, and remains so to this day.
