Why it matters: Banking malware is on the rise, and Android is unsurprisingly the biggest target for attackers looking to steal your sensitive information. A new strand of trojan for Google's mobile operating system has been found to be capable of bypassing multi-factor authentication, which is supposed to be an extra layer of protection for logging into various essential online services.
There's no shortage of Android malware out there, but a new version of the Cerberus banking trojan is now taking the spotlight. According to researchers at ThreatFabric, it can steal one-time codes generated by the Google Authenticator app, which makes it easier for attackers to bypass multi-factor authentication.
If you're unfamiliar with Google Authenticator, it's an app that has been around since 2010 and a popular choice for setting up two-factor authentication on many of today's online services. That means that after you type in your password you also have to input a one-time passcode generated by the app.
The idea of using authenticator apps came as a more secure alternative to SMS-based multifactor authentication, which turned out to be a massive privacy loophole that companies like Facebook have used to target users with ads.
Cerberus was discovered in June 2019, when ThreatFabric analysts found it was being rented out on underground forums. Its creators have even made a Twitter account that has been active until January this year, promoting the trojan as a "malware-as-a-service" deal.
ThreatFabric researchers analyzed Cerberus and found it can abuse accessibility privileges to steal two-factor authentication codes from Google Authenticator and send them to a specific server.
The good news is that there's no evidence this variant of Cerberus has been used extensively in the wild, since its creators have mostly been teasing it to their "customers."
#Malware challenge :— ThreatFabric (@ThreatFabric) February 20, 2020
🤔Try finding the relation between these screenshots...
💡The answer: They represent latest changes in the #Cerberus #Android banking #Trojan, first spotted mid January, still under development pic.twitter.com/QRFdiWYpLe
The bad news is that Cerberus has been confirmed to have the same feature set found in remote access trojans (RATs). This means that an attacker using Cerberus can remotely connect to an infected Android device and compromise every service you use, like email, social media, bank accounts, and possibly even tools like LastPass that allow you to secure all your passwords in a vault protected by a single, master password.
Even worse, Cerberus is not the first malware found to be able to do all this, but those discovered by ESET and Symantec in the past were only able to target SMS-based multi-factor authentication.
Banking trojan attacks are on the rise, and Google is trying to increase the security of multi factor authentication on Android. For example, if you have a device that runs Android 7.0 (Nougat) or later, you can use it as a physical authentication key, meaning it has to be within Bluetooth range of the device used to access a specific service. And that's about as safe as it can get.