Android banking malware can steal Google Authenticator codes
A new version of the Cerberus banking malware has been found with a feature that allows it to steal Google Authenticator two-factor authentication codes, a serious security threat for users.
Google Authenticator is a software-based authenticator that offers 2FA keys to access accounts. How many companies use the service is not known, but it is popular particularly with financial and cryptocurrency services and can be used to log into Google itself.
The new version of Cerberus was discovered recently by researchers at security firm ThreatFabric. The malware, which first appeared in June 2019, has undergone significant changes called refactoring. The new version has had its code changed and updates to its command-and-control base but more importantly now has enhanced Remote Access Trojan virus capability.
With the enhanced RAT capability, the malware now can traverse the file system on an infected device and download its content. It can also launch TeamViewer and set up connections to it, giving those behind the malware full remote access to the device. That’s where the threat to Google Authenticator comes into play.
#Malware challenge :
🤔Try finding the relation between these screenshots…
— ThreatFabric (@ThreatFabric) February 20, 2020
The installation of Teamviewer opens the door to many possibilities, including the ability to change device settings, install or remove apps and, most notably, use any app on the device.
“Abusing the accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application,” the researchers note. “When the app is running, the Trojan can get the content of the interface and can send it to the C2 server.”
The only possible good news is that there is no evidence of the new version Cerberus being offered on underground forums, leading the researchers to believe that the new version may still be in a test phase. That could change rapidly, however, as the code becomes widely available on underground hacking sites.
“Having an exhaustive target list including institutions from all over the world, combined with its new RAT capability, Cerberus is a critical risk for financials offering online banking services,” the researchers concluded.
Image: Google Play
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.