-
An Android malware strain can now extract and steal one-time passwords (OTP) generated through Google Authenticator.
-
The Dutch security firm ThreatFabric discovered the feature in a new variant of the Cerberus Android Trojan, which is designed to steal access to people’s bank accounts by hijacking their smartphones.
-
The new version of Cerberus is not yet for sale on hacking forums but this malware can pose serious threats to online banking services.
The Cerberus banking Trojan has been upgraded with RAT functionality and is now capable of stealing victims' Google Authenticator two-factor authentication (2FA) codes used as an extra layer of security when logging into online accounts.
that uses a data connection to send a one-time password (OTP) via text messages, something that the search giant frowns upon seeing that they can be intercepted because they're sent using an external carrier network.
While using an app to generate 2FA codes locally is seen as a more secure alternative to SMS-delivered ones, security researchers at mobile threat intelligence firm ThreatFabric have discovered an upgraded Cerberus banking Trojan sample that can now also log and steal information from Google Authenticator.
This might get as SMS-based 2FA in the near future seeing that the codes can now be stolen in both cases.
Learn more:
Abusing Google's Authenticator
The Android malware that was first spotted in June 2019 as a run-of-the-mill banking Trojan now steals Google Authenticator 2FA codes by abusing Android Accessibility privileges.
"When the app is running, the Trojan can get the content of the interface and can send it to the C2 server," the report adds. "Once again, we can deduce that this functionality will be used to bypass authentication services that rely on OTP codes."
These stolen codes can be used to bypass the additional 2FA security layer on online services such as banks, email services, messaging apps, and social media networks to name just a few.
Cerberus' 2FA code theft module is not the first one spotted in the wild so far, with previous cases of malware capable of this stunt being discovered by ESET and Symantec. However, those strains were targeting SMS-based two-factor authentication to bypass 2FA protection.
Learn more:
Fully operational RAT module
As the ThreatFabric security researchers also discovered, Cerberus now has TeamViewer-based designed to provide its operators with full RAT functionality.
"The RAT service is able to traverse the file system of the device and download its contents. On top of that, it can also launch TeamViewer and set up connections to it, providing threat actors full remote access of the device."
ThreatFabric Team
This new RAT module can be used by Cerberus' operators to manage apps on infected Android devices, change a device's settings, as well as use any of the apps installed just like the device's owner.
“As long as the victim hasn’t granted it, the Trojan will ask for it. Once granted the bot will be able to read/visualize all information on the infected device’s screen but also click and interact with that content.”
ThreatFabric General Manager Gaetan van Diemen
The Android malware sample they analyzed also comes with a that uses overlays, making it possible for the attackers to use the built-in RAT to unlock their victims' Android devices remotely.
"From the implementation of the RAT, we can conclude that this screen-lock credential theft was built in order for the actors to be able to remotely unlock the device in order to perform fraud when the victim is not using the device. This once more shows the creativity of criminals to build the right tools to be successful." ThreatFabric said.
Until the report was published, ThreatFabric has seen no attempts to advertise these new capabilities on underground forums or YouTube channels Cerberus is being peddled on.
This hints at the upgraded malware still going through a testing phase at the moment, although the researchers think that it "might be released soon."
"Having an exhaustive target list including institutions from all over the world, combined with its new RAT capability, Cerberus is a critical risk for financials offering online banking services," ThreatFabric adds.
About ThreatFabric
ThreatFabric provides banks with the expertise and tools to detect known and unknown threats to mitigate fraud and deflect risk. With ThreatFabric's custom analysis and detection capabilities, response to complex cyber threats has become simple and efficient. The company has two solutions the Mobile Threat Intelligence (MTI) and Client-Side Detection (CSD). MTI is a combination of dark-web investigations and malware analysis to empower and support users. CSD is a balanced solution for risk-status and malware detection.