Android malware steals two-factor authentication codes from Google Authenticator

Written 3 months ago by IanDorfman

The team over at ThreatFabric have discovered and detailed several remote access trojan malware varieties. Among these is the Cerberus banking trojan, which can steal personally identifiable information from any Small Android iconAndroid device it infects. On top of that, it can steal the pin code or swipe pattern used to unlock an Android device, as well as hijack two-factor authentication codes from Small Google Authenticator iconGoogle Authenticator.

The report describes how the only thing Cerberus needs in order to steal the credentials for unlocking an infected Android device is an invisible overlay that requires a user to unlock the device once. ThreatFabric concludes that this functionality was built into Cerberus in order to remotely unlock an infected device and perform any fraudulent activity while it's not in operation.

Cerberus is able to remotely access the Android version of Small TeamViewer iconTeamViewer in order to conduct fraud. It can also download the device's full file system contents, run several vulnerable apps with potentially personally identifiable information, change any device settings it needs, and analyze the user's device usage behaviors and habits.

ThreatFabric concludes its analysis of Cerberus by stating that underground forums specializing in malware have yet to share these features, concluding that it is still in testing but not yet released into the wild. Many banking and social network apps are vulnerable to this malware, with ThreatFabcric publishing a full list here.

Make sure to protect your Android against this threat by staying vigilant over what your Android device is used for by both yourself and any others who use it. Using a web content blocker such as Small uBlock Origin iconuBlock Origin and an alternative 2FA service such as Small Authy iconAuthy is also recommended.

Further coverage:
ThreatFabric
ZDNet
Android Police