Trusted Reviews may earn an affiliate commission when you purchase through links on our site. Learn More

Google ignored a key vulnerability in its Authenticator app for years

Security researchers have spotted the first Android malware capable of snatching two-factor authentication codes as they are generated. 

And, Google Authenticator users are the targets.

The malware – which was originally discovered by ThreatFabric in February and reported by ZDNet – is called Cerberus. The bug is a hybrid between a banking trojan and a remote access trojan, or RAT, and takes advantage of a severe flaw in Google’s 2FA software.

Once an Android user has been infected by Cerberus, cyber criminals can connect to that device remotely using the malware’s RAT features.

They can then open Google’s Authenticator app, generate a one-time passcode and take a screenshot of that code to gain access to the users account all without touching the phone.

The malware’s banking trojan features can then swoop in to steal credentials from any mobile banking apps on the device.

Related: What is a hacker? All the facts on the ‘dark art’ and its history

While Cerberus was identified in February, the latest update to the saga comes from research published by Nightwatch Cybersecurity last week.

Namely, that Google could have patched the vulnerability the malware takes advantage of as far back as 2014.

According to Nightwatch, the malware is able to exploit the Authenticator app because Google failed to check the block screenshot option built into the Android OS.

This is because, while there is an option to block apps from screenshotting other apps in Google’s operating system, the company did not apply the precaution to the Authenticator app.

Related: Best VPN

The screenshot option was first brought to Google’s attention in October 2014 by GitHub user ThomasHabets and then again by Nightwatch in 2017, though Google failed to act on either warning.

Luckily, Cerberus’ code-stealing feature is still under development, according to ThreatFabric, having yet to be detected in a real-world attack.

Trusted Reviews has reached out to Google for comment but has yet to receive a response.

Unlike other sites, we thoroughly review everything we recommend, using industry standard tests to evaluate products. We’ll always tell you what we find. We may get a commission if you buy via our price links. Tell us what you think – email the Editor