Last month, ThreatFabric, an Amsterdam-based cyber security firm, discovered a malicious program called Cerberus. It is the first Android malware ever to successfully steal the 2FA (two-factor authentication) code feature generated by Google’s Authenticator app. The software is currently under development and there is currently no evidence that it was used in an actual attack.
The researchers say the malicious program combines the characteristics of a bank trojan and a remote access trojan (RAT). Once an Android user is infected, hackers use the malware’s bank trojan feature to steal the account credentials of the mobile banking application.
The ThreatFabric report notes that the Remote Access Trojan, first discovered at the end of June, replaced the Anubis Trojan and became a major malware-as-a-service offering.
Cerberus was updated in mid-January 2020 with a new version of the device’s ability to steal 2FA tokens from Google Authenticator, as well as device screen-locking PINs and swipes, the report said.
Even if the user’s account is protected by 2FA (Google Authenticator Generation), the malicious cerberus can be manually connected to the user’s device via the RAT feature. The hacker then opens the Authenticator application, generates a one-time password, takes screenshots of those codes, and then accesses the user’s account.
The security team said: “The ability to enable the screen lock credentials (PIN and lock mode) of the stolen device is supported by a simple overlay that will require the victim to unlock the device.” From the RAT implementation, we can conclude that this screen lock credential theft was established to enable participants to remotely unlock the device so that the victim can commit fraud when the device is not being used. This shows once again the creativity of criminals to create the right tools to succeed. “
In a study published this week, researchers from Nightwatch Cybersecurity delved into the root cause of the attack, in which the Authenticator app first allowed screenshots of its content.
The Android operating system protects its users by allowing applications to block other applications from capturing their content. This is done by adding the “FLAG_SECURE” option to the configuration of the application. Google doesn’t add this tag to the App Authenticator, although the app usually handles some very sensitive content.
The Nightwatch researchers said Google received a report of the problem as early as October 2014, when a user noticed the misconfiguration on GitHub. In 2017, Nightwatch reported the same problem to Google’s security team in 2017, and found that Microsoft’s Authenticator also had a screenshot-enabled problem.