Android malware steals two-factor authentication codes from Google Authenticator
The team over at ThreatFabric have discovered and detailed several remote access trojan malware varieties. Among these is the Cerberus banking trojan, which can steal personally identifiable information from any Android device it infects. On top of that, it can steal the pin code or swipe pattern used to unlock an Android device, as well as hijack two-factor authentication codes from Google Authenticator.
The report describes how the only thing Cerberus needs in order to steal the credentials for unlocking an infected Android device is an invisible overlay that requires a user to unlock the device once. ThreatFabric concludes that this functionality was built into Cerberus in order to remotely unlock an infected device and perform any fraudulent activity while it's not in operation.
Cerberus is able to remotely access the Android version of TeamViewer in order to conduct fraud. It can also download the device's full file system contents, run several vulnerable apps with potentially personally identifiable information, change any device settings it needs, and analyze the user's device usage behaviors and habits.
ThreatFabric concludes its analysis of Cerberus by stating that underground forums specializing in malware have yet to share these features, concluding that it is still in testing but not yet released into the wild. Many banking and social network apps are vulnerable to this malware, with ThreatFabcric publishing a full list here.
Make sure to protect your Android against this threat by staying vigilant over what your Android device is used for by both yourself and any others who use it. Using a web content blocker such as uBlock Origin and an alternative 2FA service such as Authy is also recommended.