Android Users Beware – this Malware Will Steal Your 2FA Codes

Reading Time: 2 minutes

Android users are being warned that a new strain of malware that can be baked into banking apps can steal their two-factor authentication (2FA) codes. Cerberus, a Trojan virus which was first seen in June 2019, has recently been updated to include the ability to compromise the 2FA codes used by users of Google Authenticator, one of the most popular 2FA tools among Android users.

Trojan Can Steal Patterns, PIN Codes, and 2FA Credentials

The increased threat offered by the new strain of the Cerberus Trojan was picked up by Dutch security team Threat Fabric, who realized that the codebase had been tweaked in order to steal “device screen-lock credentials”, which encompasses any pattern or code shown on the device’s screen, such as a PIN code, swipe pattern, or 2FA credentials. This led them to a fairly simple conclusion:

…the Trojan can now also steal 2FA codes from Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C2 server. Once again, we can deduce that this functionality will be used to bypass authentication services that rely on OTP codes.

The virus is also capable of launching Teamviewer and creating connections to remote sources, allowing hackers full access to the compromised device. Cerberus is thought to have “taken over from the infamous Anubis Trojan as major rented banking malware”, which we reported on last July.

Threat Fabric state that, as of February 2020, the codebase had not been offered for sale on the dark web, suggesting that it is still in its testing phase before a release in the near future.

Only a Matter of Time

When Google replaced SMS codes with the built-in generator in 2017, this was widely considered to be a move towards much better security, which it indeed was, but it was always only a matter of time before the hackers caught up.

Despite the potential for it to be compromised, 2FA remains the safest security layer you can implement and is certainly something that should be used wherever possible. This is why top exchanges like Binance and Kraken insist on 2FA security when you open an account.

To reduce the risk of being compromised by such attacks, we recommend that you only ever download apps from official app stores, and ideally use a separate device that is not connected to the internet to generate your 2FA codes.