The Google Authenticator is a handy app for those who use two-factor authentication (2FA) to better protect their online accounts.
What it does, is generating a Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password algorithm (HOTP), for authenticating users of software applications. This app unfortunately, had flaws as it can be infected with a malware known as 'Cerberus'.
According to a Dutch financial cyber security specialist ThreatFabric, Cerberus is a banking trojan that can steal one-time passcodes generated by the app and potentially enable hackers to access bank accounts, email inboxes, social media, and most other user-based platforms of online activity.
This malware according to ThreatFabric, is "designed and used primarily to access and steal information that facilitates financial fraud."
The flaw happened to be found on Google Authenticator on Android, and is possible because the malware is a RAT (Remote Access Trojan) that targets the accessibility privileges on Android devices.
And because it is a sophisticated RAT, Cerberus can also enable hackers to remotely control a victim's mobile device,
Cerberus has a short past, but indeed notable in many cases.
The malware was first discovered by ThreatFabric back in June 2019. Being rented out on underground forums, its authors claim that it was used for private operations for years preceding the start of the rental.
The authors also state that the code is written from scratch and is not using parts of other existing banking trojans.
Just like most other RATS, Cerberus can be used to control devices. But Cerberus can also control Android mobile devices, infiltrate them, and leverage their credentials to sneak deeper into the OS.
As a result, it can also alter device settings, access installed apps, delete or install apps, and "also provide valuable insight into victims' behaviors and habits," according to ThreatFabric.
In this case, the malware can use its features to steal Google Authenticator's passcodes to evade any 2FA security measures.
Cerberus' ability to compromise 2FA systems is extremely rare in the malware world.
While there is no evidence that the malware has been used to steal Google Authenticator users' 2FA accounts, still, members of the Android community are alarmed at its potential for misuse.
"Having an exhaustive target list including institutions from all over the world, combined with its new RAT capability, Cerberus is a critical risk for financials offering online banking services. Whether in its target list or not, it is easy for its operators to enhance the list to target additional apps," said ThreatFabric.
ThreatFabric's finding was then supported by Nightwatch Cybersecurity, reporting that the malware can also steal screen lock codes/credentials, allowing the threat actors to remotely unlock a device for the purpose of performing fraud.
In an another report, Nightwatch Cybersecurity also said that rogue apps on Android devices might be able to steal all generated OTP codes from the Google Authenticator, as the app allows screenshots of one-time passcodes to be captured.
Android allows apps to protect their users by blocking other apps from taking screenshots of their content. This can be done using the FLAG_SECURE inside the app's configuration.
Google however, didn't add this flag to its Authenticator app, despite the fact that the app is designed to handle sensitive content.
Researchers at Nightwatch Cybersecurity said that Google could have fixed this issue as early as October 2014, when this misconfiguration was first shared by someone on GitHub.
In addition, the researchers also found that Microsoft's Authenticator app for Android also has this same misconfiguration that allows its screen to be screenshotted.