A new version of an Android Trojan is found capable of extracting and stealing codes generated by Google. Named Cerberus, this banking trojan is made to steal one-time codes that have been generated using Google Authenticator app, and pass through the 2FA-protected accounts.
The app, launched by Google in 2010, is used for generating six to eight-digits long codes that are unique. These are used by users by entering them into login forms when accessing accounts online. The main reason Google launched the Authenticator app, so that it could do away with the hassle of one-time passwords being sent to the SMS inbox every time there is a login required. Further, and for obvious reasons, the 2FA is more secure than passwords being sent in the SMS.
This issue was only found out in the most recent samples of Cerberus by a Dutch mobile security firm ThreatFabric. What is interesting is the trojan was only launched in June 2019. The way it obtains information is by manipulation, or abusing, the accessibility privileges and makes off with 2FA codes from the Google Authenticator app. With the app running, all the Trojan does is capture the content of the interface and send it to a remote command and control server.
While the app is available on forums, ThreatFabric reports that the new feature is not yet live in these advertised versions that are sold on the hacking forums, but “might be released soon”.
ThreatFabric also notes that the banking trojan is very advanced; the trojan is said to be packing the same features and qualities of a superior class of malware, the remote access trojan, or RATs. With such an improved set of features, Cerberus can be deployed remotely, and the operator can connect to an infected device, access the user’s banking account credential and thereby break into the account. They would then bypass the 2FA protection of Google’s Authenticator app if the bank provides for those.
The threat, however, could potentially be of a much higher scale than this. While it is true that banking accounts are protected by the Authenticator app, it is equally factual that a lot of other accounts across the internet utilize the same 2FA protection of this app. This means that every account that utilizes the protection given by this app could be affected. The range is very diverse, such as email inboxes, coding repositories, social media accounts, etc.