Future view: Cerberus trojan steals 2FA codes via Google Authenticator


The new version of Android malware will be able to break into accounts by using the stolen codes

Future view: Cerberus trojan steals 2FA codes via Google Authenticator

Future view: Cerberus trojan steals 2FA codes via Google Authenticator

Cybersecurity experts have observed a new strain of Cerberus banking malware for Android – it now can gather one-time codes from Google Authenticator[1] and hack potential victims’ accounts that are protected with two-factor authentication. Even though this type of feature is not yet included in the operation module of the Trojan, researchers believe that Cerberus will soon start operating as a 2FA code-hacking malware.

Users who want to protect their Android devices use the Google Authenticator app, which is the main target of Cerberus. The free app uses two-step verification services to help users protect their accounts from unauthorized access and is exceptionally easy to use, making it an attractive offer for many.

Google Authenticator makes a combination of six, seven, or eight symbols that the user has to enter in order to log in. This application is known as the safer variant for connecting to online accounts than entering specific codes that are generated and sent to users directly in SMS messages.[2] However, even the safest apps appear to be vulnerable to dangerous malware attacks.

Cerberus records the one-time passwords and delivers them to a C&C server

According to ThreatFabric, a Dutch mobile-based cybersecurity company, they have revealed the trojan’s capability to misuse Accessibility settings and gather all of the two-factor[3] passwords that are provided by the Google Authenticator program. Upon a successful data collection process, Cerberus sends the codes to a remote command and control server.[4]

Even though Cerberus is already a sophisticated piece of malware, it is expected to be even more complex in the future by including this code-stealing feature. Currently, the trojan focuses on remote connection to targeted devices, capturing the victim’s credentials, hacking two-factor safety components, and entering the banking account. This way, Cerberus is capable of wiping out the entire account ThreatFabric points out that the malware will likely employ the same function for its future attacks.

A new variant of the trojan can start targeting online accounts

Since Cerberus operates malware-as-a-service scheme and can be found on underground forums, malicious actors can modify the tool to their needs.[5] This time, the crooks can steal two-factor codes via Google Authenticator not only from bank accounts.

According to researchers reports, this new feature of Cerberus trojan will put in danger a lot of social media accounts, email addresses, e-shopping profiles, and others. If a hacker decides to break into some of these accounts, he can use them for any purpose, e.g., delivering malicious messages to the victim’s entire contact list on Facebook, Instagram, Twitter, etc., infecting people with malware by delivering it via email to others, stealing money by subscribing the victim to useless services or making unexpected purchases from an electronic shopping account.

However, this is a warning that people will have to be even more careful in the upcoming future. A piece of advice would be to avoid opening questionable attachments and links that come together with a suspicious email message, prevent yourself from using pirated services for downloading software, and skipping various unknown advertisements that pop out while browsing online.