An Android malware strain being sold to hackers has gained a scary capability: it can now try to steal two-factor codes from the Google Authenticator app.
First reported by ZDNet, the Dutch security firm ThreatFabric discovered the feature in a new variant of the Cerberus Android Trojan, which is designed to steal access to people’s bank accounts by hijacking their smartphones.
If successfully installed, Cerberus is capable of logging your keystrokes, and harvesting all your SMS messages.
In addition, it can trick you into handing over your password to a mobile banking app by generating a fake login window on your phone.
However, sometimes collecting a password isn’t enough to break into your internet accounts.
Increasingly, users are protecting their most important online properties by adding a second step to the login process.
This setup, known as two-factor authentication, requires anyone logging in to also type in a special passcode generated on the account holder’s smartphone to gain full access.
Google Authenticator is among the security apps that can generate the special passcodes used for two-factor authentication systems.
But it appears Cerberus’ creators are working on a way to pilfer the 2FA codes from the app itself.
“When the app is running, the Trojan can get the content of the interface and can send it to the C2 (command-and-control) server,” ThreatFabric wrote in a report this week.
“Once again, we can deduce that this functionality will be used to bypass authentication services that rely on (one-time pass) codes.”
Fortunately, the capability has a big limitation: The owner of the infected Android phone has to be tricked into granting the malware access to the Google Authenticator app’s interface.
To pull this off, Cerberus will pretend to be an app like “Flash Player” and then demand the user grant it Android’s Accessibility Service privileges, which are designed to help people with disabilities use their phone.
However, the same privileges can be quite powerful and in the wrong hands can pave the way for a malicious device takeover.
“As long as the victim hasn’t granted it, the Trojan will ask for it,” ThreatFabric General Manager Gaetan van Diemen told Daxdi in an email.
“Once granted the bot will be able to read/visualize all information on the infected device’s screen but also click and interact with that content.”
To steal the Google Authenticator codes, the Cerberus Trojan will simply launch the app, then copy and upload the content to the malware’s command and control server, he added.
For now, the Google Authenticator code-stealing capability has yet to be advertised by Cerberus’s creators.
“Therefore, we believe that this variant of Cerberus is still in the test phase but might be released soon,” ThreatFabric warned in its report.
Since last June, Cerberus’s creators have been renting out access to the malware on a Russian hacking forum, at prices starting at $4,000 for three months of access.
It's up to the customers themselves to spread the malware, which can be circulated via malicious links in emails and SMS messages.
So to avoid it, you should stick with only downloading Android apps from the official Google Play Store, which filters out malicious products.
Google itself has yet to comment on the ThreatFabric’s report.
However, the company’s authenticator app isn’t the only 2FA product affected.
By abusing the Accessibility Service privileges, the malware could pilfer information from any app on the smartphone, van Diemen said.