Google Authenticator is the system proposed by the company to generate temporary 2FA codes as opposed to SMS when we log in.
These 2FA systems are designed to hinder unwanted login by forcing the user to double-check the startup.
What if someone else has access to this second verification?
Apparently, it is what happens with the Cerberus Trojan for Android. In its latest version, it’s been able to steal codes generated in the Google Authenticator app and thus disable the use of double factor authentication.
Cerberus is a malware that has been presented on the networks for a few months. The Trojan was first discovered last August 2019 and has been used specially to infect devices in order to gain access to user accounts.
According to the report published by ThreatFabric, malware manages to access single-use codes and use them to start sessions without user consent.
The Google app for smartphones is protected with a security code for access and in principle, all other applications do not have permissions to access the stored information. To avoid this, what the Trojan does is to use accessibility permissions, which offer alternative ways of "reading" the screen of smartphones and its apps.
Abusing these accessibility permissions, the Trojan manages to obtain the information shown in Google Authenticator, that is, the temporary codes.
Among the features of Cerberus, it also highlights the possibility of remotely accessing the infected device.
According to the report, the attackers can connect to the infected smartphone and control the information that arrives to get access codes to services where login is required.
If the login has dual-factor authentication enabled, the attacker also accesses Google Authenticator to view the temporary code.
The 2FA system is one of the safest currently available since it requires that the login be verified in two different ways.
Generally, very few known cases have occurred in which malware has managed to break 2FA, although Cerberus is now another example of what is possible.
