Security researchers have found out a new version of the Android banking trojan, Cereberus, which can steal 2FA codes generated by Google Authenticator app.
Researchers at Amsterdam-based Threat Fabric found out that in addition to stealing 2FA codes, the malware, which has been updated with remote access trojan features by the authors since it last appeared in June 2019, can also bypass 2FA-protected accounts.
“This new Cerberus variant has undergone refactoring of the code base and updates of the C2 communication protocol, but most notably it got enhanced with the RAT capability, the possibility to steal device screen-lock credentials (PIN code or swipe pattern) and 2FA tokens from the Google Authenticator application,” the researchers explained.
The remote access trojan can also launch TeamViewer and give full remote access of the device to the attacker, which will allow them to change the device settings, install and remove apps, and also use the apps on the device, including banking or social network apps.
Since Cereberus malware can also steal screen-lock credentials, it gives access of the device to the attackers even when the victim isn’t using the device as they’ll be able to remotely unlock it too.
“Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C2 server. Once again, we can deduce that this functionality will be used to bypass authentication services that rely on OTP codes.”
The researchers also say that since there have been no talks about this strain of malware in “underground forums”, it’s likely that it’s in the test phase and might be released soon.
In the report, the researchers have also talked about Gustruff, an Android banking trojan, Hydra, a discontinued banking trojan, Ginp and Anubis. You can read their entire research report here.