Last month, ThreatFabric specialists discovered the first malware that is able to steal two-factor authentication codes through a dangerous vulnerability in Google Authenticator.
Researchers called the malware Cerberus, and its function of stealing codes is still under development and has not yet been used in real attacks.Cerberus is a hybrid of banking Trojan and Remote Access Trojan (RAT) for Android devices.
After infecting the device using the functions of a banking trojan, malware steals banking data. In case the victim’s account is protected by the two-factor authentication mechanism of the Google Authenticator application, Cerberus acts as a RAT and provides its operators with remote access to the device. Attackers open Google Authenticator, generate a one-time code, and then gain access to the victim’s account”, – say ThreatFabric experts.
ThreatFabric analysts believe that Cerberus will most likely use this feature to bypass two-factor authentication in banks, but nothing holds attackers from bypassing 2FAs for other types of accounts, including mailboxes, repositories, social network accounts, and so on.
Cerberus is the first-ever malware with the functions of stealing one-time two-factor authentication codes. The Trojan uses a very simple technique for this – it creates a screenshot of the Google Authenticator interface.
Researchers from Nightwatch Cybersecurity decided to study what exactly in Google Authenticator makes Cerberus functions possible, in particular to examine the screenshot function.
It appears that Google Authenticator allows screenshots to be taken of OTP codes. The implication is that if a user’s device ends up running a rogue app, that app can capture all generated OTP codes as they are shown by the app, and thus break two factor authentication”, — write Nightwatch Cybersecurity specialists.
Android OS allows applications protecting their users from the function of other applications to take screenshots of their content – for this, the FLAG_SECURE option must be added to the application settings. As it turned out, Google did not add this flag to Google Authenticator.
According to researchers at Nightwatch Cybersecurity, Google could fix this problem back in 2014, after one of the GitHub users wrote about it, but it did not. The problem remained uncorrected in 2017, when Nightwatch Cybersecurity experts informed the company about it, and remains uncorrected until today.
Several security professionals also pointed out that Microsoft Authenticator has the exact same problem. Nightwatch Cybersecurity reported this to the vendor, but this problem remains unresolved.