ThreatFabric experts reportthat the banking Trojan for Android Cerberus has learned to steal two-factor authentication codes generated by the Google Authenticator application, and thus bypass the protection.
The Google Authenticator app was launched ten years ago, in 2010. The application is positioned as an alternative to one-time passwords via SMS. Since Google Authenticator codes are generated on the user's device and not transmitted over insecure mobile networks, accounts that use Google Authenticator for two-factor authentication are considered more secure.
Let me remind you that the malware Cerberus was discovered by information security specialists in the summer of 2019. Then it was reported that Cerberus does not use any vulnerabilities and is distributed exclusively through social engineering. Malvar allows attackers to establish full control over an infected device, and also has functions classic for a banker, such as using overlays, SMS control, and extracting a contact list.
In a new report, ThreadFabric experts say that the latest versions of Cerberus are a very advanced malware. In particular, Cerberus currently uses features that are typically found in Remote Access Trojans (RATs). These features allow Cerberus operators to remotely connect to an infected device, change device settings, install and remove applications, use the victim’s credentials to access online banking, and steal one-time passwords from Google Authenticator to bypass two-factor authentication (if any).
Apparently, the new feature that allows you to steal 2FA codes is not yet included in the current version of Cerberus, advertised and sold on hacker forums. According to researchers, this version of Cerberus is still at the testing stage.
“Abuse of Accessibility privileges, the trojan can steal 2FA codes from the Google Authenticator application. When the application (Authenticator) is launched, the trojan is able to extract the contents of the interface and send it to its managing server, ”experts say.
ThreatFabric analysts believe that Cerberus will most likely use this feature to bypass two-factor authentication in banks, but nothing prevents attackers from bypassing 2FAs for other types of accounts, including mailboxes, repositories, social network accounts, and so on.