UPDATED 19:45 EDT / FEBRUARY 27 2020

SECURITY

Android banking malware can steal Google Authenticator codes

A new version of the Cerberus banking malware has been found with a feature that allows it to steal Google Authenticator two-factor authentication codes, a serious security threat for users.

Google Authenticator is a software-based authenticator that offers 2FA keys to access accounts. How many companies use the service is not known, but it is popular particularly with financial and cryptocurrency services and can be used to log into Google itself.

The new version of Cerberus was discovered recently by researchers at security firm ThreatFabric. The malware, which first appeared in June 2019, has undergone significant changes called refactoring. The new version has had its code changed and updates to its command-and-control base but more importantly now has enhanced Remote Access Trojan virus capability.

With the enhanced RAT capability, the malware now can traverse the file system on an infected device and download its content. It can also launch TeamViewer and set up connections to it, giving those behind the malware full remote access to the device. That’s where the threat to Google Authenticator comes into play.

The installation of Teamviewer opens the door to many possibilities, including the ability to change device settings, install or remove apps and, most notably, use any app on the device.

“Abusing the accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application,” the researchers note. “When the app is running, the Trojan can get the content of the interface and can send it to the C2 server.”

The only possible good news is that there is no evidence of the new version Cerberus being offered on underground forums, leading the researchers to believe that the new version may still be in a test phase. That could change rapidly, however, as the code becomes widely available on underground hacking sites.

“Having an exhaustive target list including institutions from all over the world, combined with its new RAT capability, Cerberus is a critical risk for financials offering online banking services,” the researchers concluded.

Image: Google Play

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU