Cybersecurity researchers have discovered a new version of an Android malware that can extract and steal one-time passcodes generated through a Google two-factor authentication tool.
According to ZDNet, the malware, called Cerberus, can intercept passcodes generated through Google Authenticator, a mobile app that’s used as two-factor authentication layer that works by generating six-to-eight-digit codes that end users enter to access certain accounts.
ZDNet cited Dutch security firm ThreatFabric, who said they’ve spotted an Authenticator OTP-stealing capability in recent samples of Cerberus.
Cerberus, a banking trojan, was originally discovered in June 2019, ZDNet reported:
“Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application,” the ThreatFabric team said.
“When the [Authenticator] app is running, the Trojan can get the content of the interface and can send it to the [command-and-control] server,” they added.
ThreatFabric said this new feature is not yet live in the Cerberus version advertised and sold on hacking forums.
“We believe that this variant of Cerberus is still in the test phase but might be released soon,” researchers said.
Per ZDNet, ThreadFabric noted that this new version of the malware is very advanced and is now part of very few strains of malware that can bypass multi-factor authentication solutions.
Cerberus is now considered a superior class of malware, similar to remote access trojans (RAT).
These RAT features allow Cerberus operators to remotely connect to an infected device, use the owner’s banking credentials to access an online banking account, and then use the Authenticator OTP-stealing feature to bypass 2FA protections on the account — if present.
ThreatFabric researchers believe the Cerberus trojan will most likely use this feature to bypass Authenticator-based 2FA protections on online banking accounts, however, there’s nothing stopping hackers from bypassing Authenticator-based 2FA on other types of accounts. This includes email inboxes, coding repositories, social media accounts, intranets, and others.
According to ThreadFabric, this variant of Cerberus is believed to still be in the test phase, but could soon be released on the dark web.
“Having an exhaustive target list including institutions from all over the world, combined with its new RAT capability, Cerberus is a critical risk for financials offering online banking services,” the firm said.