Banking Trojan Can Steal One-Time Pins On Google Authenticator App
The Cerebrus trojan allows an attacker to take screenshots of the phone’s content.
According to a ZDNet story, it has been found that Android malware can extract one-time authentication passwords and pins generated through the Google Authenticator app which is used as a two-factor authentication (2FA) layer for many online accounts.
The app was launched back in 2010 as an alternative to SMS-based OTPs. It generates six- to eight-digits unique codes that users must enter in login forms while trying to access online accounts.
A Dutch mobile security firm ThreatFabric spotted a vulnerability in the app whereby the Cerebrus Android banking trojan had the capability to steal banking codes. The trojan was first launched in June 2019.
The trojan allows an attacker to take screenshots of the phone’s content and access it.
What’s surprising is that Google could have fixed the 2FA code-stealing issue back in 2014 as it was first reported then but it was never addressed.
According to experts, the malware was a hybrid between a banking trojan and a remote hacking trojan. Once an Android user got infected the hacker would be able to gain access to the user’s credentials especially for mobile banking apps and social media accounts.
Researchers at Nightwatch Cybersecurity dug deeper to find a solution to the problem and found that the attack could be avoided. They found that adding a “FLAG_SECURE” option inside the app's configuration didn’t allow any app to take screenshots of the phone’s content.
Google didn’t add this option earlier despite the fact that it was displaying sensitive information.
In the event of such an anomaly, experts are recommending that 2FA apps be updated and made more secure and also the introduction of hardware keys to access social media accounts is also important.
(The Quint is available on Telegram. For handpicked stories every day, subscribe to us on Telegram)
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.