Security researchers found that even Google Authenticator app isn’t reliable for secure logins. ThreatFabric researchers found malware that’s capable of stealing 2FA codes from the Google Authenticator app, startling the MFA community. This was confirmed later by Nightwatch researchers as Google didn’t set an option that would prevent that app from taking a screenshot.
Alas, not even the 2FAs are secure now
New research by ThreatFabric reveals a new Android malware called Cerberus, which can steal 2FA codes from the Google Authenticator app! This wasn’t the cleverness of Cerberus though, but a mere stupidity by Google we can say.
Google since long has failed to put a simple code in one of its highly sensitive apps. Google Authenticator just lets any third-party app to capture a screenshot, letting the content to be copied and stolen by anyone. Cerberus was just one, that’s found to be a hybrid product of banking malware and general Remote Access Trojan (RAT).
Once if the phone’s being infected somehow, attackers can navigate to Google Authenticator app and use Cerberus to manually trigger a screenshot, thus copying the passcode content on screen. These let’s gain access to any sensitive services the victim uses. Though this malware is still under development, it has the potential to victimize many, in a short span of time.
Deep analysis by Nightwatch into this incident revealed that Google’s Authenticator app is missing a key feature, that’s letting happen this. Capturing a screenshot by third-party apps can be stopped if Google could have put a FLAG_SECURE option into its configurations. But it didn’t!
This flaw has first surfaced a user in GitHub, later pointed out by researchers too. Yet, no response from Google in fixing this! Few researchers after finding this vulnerability even suggested moving out from Google Authenticator to other 2FA apps too!