September 27, 2020

Cerberus banking trojan can steal two-factor authentication code from the Google Authenticator app

2 min read

Recently, Amsterdam-based cybersecurity company, ThreatFabric discovered a malicious program called Cerberus. It is the first Android malware to successfully steal 2FA (two-factor authentication) code capabilities generated by the Google Authenticator application. The software is currently under development and there is no evidence that it has been used in actual attacks.

The researchers said that the malicious program mixes banking trojan and remote access trojan (RAT) features. Once an Android user is infected, hackers will use the banking trojan to steal account credentials for mobile banking applications.

The ThreatFabric report states that the remote access Cerberus was first discovered at the end of June 2019. It replaced the Anubis Trojan and gradually became a major malware as a service product.

The report states that Cerberus was updated in mid-January 2020. The new version introduces the ability to steal 2FA tokens from Google Authenticator and the device screen lock PIN and swipe method.

Even if the user account is protected by 2FA (generated by Google Authenticator), the malicious program Cerberus can manually connect to the user device through the RAT function. The hacker will then open the Authenticator application, generate a one-time password, take a screenshot of these codes, and then access the user’s account.

Researcher wrote:

“The feature enabling theft of device’s screen lock credentials (PIN and lock pattern) is powered by a simple overlay that will require the victim to unlock the device. From the implementation of the RAT we can conclude that this screen-lock credential theft was built in order for the actors to be able to remotely unlock the device in order to perform fraud when the victim is not using the device. This once more shows the creativity of criminals to build the right tools to be successful.”