Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Google ignored a key vulnerability in its Authenticator app for years

Security researchers have spotted the first Android malware capable of snatching two-factor authentication codes as they are generated. 

And, Google Authenticator users are the targets.

The malware – which was originally discovered by ThreatFabric in February and reported by ZDNet – is called Cerberus. The bug is a hybrid between a banking trojan and a remote access trojan, or RAT, and takes advantage of a severe flaw in Google’s 2FA software.

Once an Android user has been infected by Cerberus, cyber criminals can connect to that device remotely using the malware’s RAT features.

They can then open Google’s Authenticator app, generate a one-time passcode and take a screenshot of that code to gain access to the users account all without touching the phone.

The malware’s banking trojan features can then swoop in to steal credentials from any mobile banking apps on the device.

Related: What is a hacker? All the facts on the ‘dark art’ and its history

While Cerberus was identified in February, the latest update to the saga comes from research published by Nightwatch Cybersecurity last week.

Namely, that Google could have patched the vulnerability the malware takes advantage of as far back as 2014.

According to Nightwatch, the malware is able to exploit the Authenticator app because Google failed to check the block screenshot option built into the Android OS.

This is because, while there is an option to block apps from screenshotting other apps in Google’s operating system, the company did not apply the precaution to the Authenticator app.

Related: Best VPN

The screenshot option was first brought to Google’s attention in October 2014 by GitHub user ThomasHabets and then again by Nightwatch in 2017, though Google failed to act on either warning.

Luckily, Cerberus’ code-stealing feature is still under development, according to ThreatFabric, having yet to be detected in a real-world attack.

Trusted Reviews has reached out to Google for comment but has yet to receive a response.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.