New strain of Cerberus Android banking trojan can steal Google Authenticator codes

Pierluigi Paganini February 27, 2020

Experts found a new version of the Cerberus Android banking trojan that can steal one-time codes generated by the Google Authenticator app and bypass 2FA.

Security researchers from ThreatFabric warn of a new Android malware strain can now steal one-time passcodes (OTP) generated through Google Authenticator that is used as part of 2FA to protect online accounts.

The malware-as-a-service Cerberus has emerged in the threat landscape in August 2019, it is an Android RAT developed from scratch that doesn’t borrow the code from other malware.

According to researchers at Threat Fabric who first analyzed the malicious code, Cerberus implements features similar to other Android RAT, it allows operators to full control over infected devices.

The malware implements banking Trojan capabilities such as the use of overlay attacks, the ability to intercept SMS messages and access to the contact list.

  • taking screenshots
  • recording audio
  • recording keylogs
  • sending, receiving, and deleting SMSes, 
  • stealing contact lists
  • forwarding calls
  • collecting device information
  • Tracking device location
  • stealing account credentials, 
  • disabling Play Protect
  • downloading additional apps and payloads
  • removing apps from the infected device
  • pushing notifications
  • locking device’s screen

The author of this malware is very active on Twitter and mocks security firms claiming to have avoided the detection for at least two years.

Now the authors implemented the ability to steal 2FA code from the Google Authenticator app abusing the Accessibility Privileges.

“Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from . When the app is running, the Trojan can get the content of the interface and can send it to the C2 server. Once again, we can deduce that this functionality will be used to bypass authentication services that rely on OTP codes.” reads the post report published by Threat Fabric.

Until now, experts have yet to find advertisements for these features in underground forums, a circumstance that suggests that this variant of Cerberus is still in the test phase.

ThreatFabric pointed out that Cerberus Trojan is a serious threat, especially to the banking industry.

The report published by ThreatFabric also details other Android malware families, including Anubis, Hydra, Ginp, and Gustuff.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Cerberus, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment