Security researchers have spotted the first Android malware capable of snatching two-factor authentication codes as they are generated.
And, Google Authenticator users are the targets.
The malware – which was originally discovered by ThreatFabric in February and reported by ZDNet – is called Cerberus. The bug is a hybrid between a banking trojan and a remote access trojan, or RAT, and takes advantage of a severe flaw in Google’s 2FA software.
Once an Android user has been infected by Cerberus, cyber criminals can connect to that device remotely using the malware’s RAT features.
They can then open Google’s Authenticator app, generate a one-time passcode and take a screenshot of that code to gain access to the users account all without touching the phone.
The malware’s banking trojan features can then swoop in to steal credentials from any mobile banking apps on the device.
While Cerberus was identified in February, the latest update to the saga comes from research published by Nightwatch Cybersecurity last week.
Namely, that Google could have patched the vulnerability the malware takes advantage of as far back as 2014.
According to Nightwatch, the malware is able to exploit the Authenticator app because Google failed to check the block screenshot option built into the Android OS.
This is because, while there is an option to block apps from screenshotting other apps in Google’s operating system, the company did not apply the precaution to the Authenticator app.
Related: Best VPN
The screenshot option was first brought to Google’s attention in October 2014 by GitHub user ThomasHabets and then again by Nightwatch in 2017, though Google failed to act on either warning.
Luckily, Cerberus’ code-stealing feature is still under development, according to ThreatFabric, having yet to be detected in a real-world attack.
Trusted Reviews has reached out to Google for comment but has yet to receive a response.