Not all two-factor authentication systems, a.k.a. 2FA, are created equal and some, like SMS, are deemed insecure but still better than no 2FA at all. In lieu of ubiquitous biometrics, the easiest 2FA method recommended is the use of a 2FA app of which Google Authenticator is perhaps the most popular. But what if that 2FA app itself is discovered to be insecure? That’s the rather worrying situation users may find themselves in thanks to a new but thankfully still unreleased malware.
2FA apps like Google Authenticator, Authy, and LastPass, just to name a few, pretty much act like password managers except they only generate One-Time Passwords (OTPs) when you open the app. The OTPs, of course, expire so that they can’t be reused or even used after an elapsed period of time. Like password managers, however, all that security is thrown out the window if the application itself is compromised.
To be fair, it isn’t Google Authenticator itself that is vulnerable to a strain of malware known as the Cerberus online banking trojan. Instead, it is a side effect of Android’s sometimes too powerful Accessibility service that leaks the 2FA information to hackers. Add a Remote Access Trojan or RAT like Cerberus to that and you’ve got a recipe for a security nightmare.
This very new version Cerberus abuses that Accessibility functionality to read what should be very secure and very private contents of Google’s 2FA app. Hackers using this malware could then use that code to log into the victim’s online banking accounts. There’s also nothing stopping them from using non-banking codes to hack the user’s other accounts, too.
The somewhat good news is this Cerberus strain is reportedly still not being sold in the wild as it is still under heavy testing. That may give Google some time to secure both Authenticator and Android against such attacks. It also serves as a reminder to users that convenient as 2FA apps and password managers may be, they are no substitute for vigilance and common sense.