Using app-generated one-time passcodes (OTPs) is perhaps the easiest and most cost-effective way to add a second authentication layer to all your online accounts and services. They eliminate almost any chances of an unauthorized person accessing your accounts even if they’ve got hold of your passwords. But it would be a scary situation if the passcodes within those apps were compromised, and that’s just the threat Google Authenticator is facing right now thanks to some banking malware.
A research paper published by ThreatFabric on remote-access trojans (RATs) uncovered a version of Cerberus (not to be confused with the Cerberus app) in testing that does much more harm than its current version is capable of. The makers of the trojan are working on the capability to covertly read your Android phone screen to siphon off device-unlocking credentials (PINs and passwords) and other vital information, such as the 2FA tokens that appear in the Google Authenticator app, or its various alternatives.
Using these credentials, the bad actors would be able to remotely unlock infected phones without user intervention for conducting financial fraud, while non-banking apps wouldn’t be safe either. The new banking trojan exploits Accessibility privileges to read what’s on your screen and then relays your information to a remote server. It can even set up a connection on TeamViewer, giving the hackers deeper access to your phone, as shown in the code snippet provided by the researchers.
The report notes that the new version of Cerberus banking trojan isn’t being advertised or sold in the hacking forums that the researchers checked. They believe there is a good chance that the malware is under development and will be released soon with “an exhaustive target list” focusing on financial institutions around the world. In addition to Cerberus, the research also details other similar trojans for the Android OS, namely Gustuff, Hydra, Ginp, and Anubis, which have a more concentrated target list.
Meanwhile, what you can do to safeguard yourself is keep a vigilant eye on the websites you visit, files or email attachments you download, apps you pull from unknown sources, and the messages you receive while chatting online? To further secure your accounts, you can step up to physical security keys, such as those from Yubico and Google, which cannot be compromised without physical access.