“Cerberus” Android Banking Trojan Can Now Steal Google Authenticator’s 2FA Tokens

  • An upcoming version of Cerberus can bypass people’s 2FA and steal accounts that are protected by OTP codes.
  • The newest version of the banking trojan is still under development and testing, so it’s not yet available for purchase.
  • Cerberus received heavy code rewriting and C2 upgrades since its initial release a couple of months ago.

A new version of the “Cerberus” Android banking trojan has the capacity to steal one-time codes used in two-factor authentication steps. These codes on Android are generated by “Google Authenticator”, and the whole point is to protect various online accounts from being taken over by hackers. Generating these 6 or 8-digit passwords locally on the device is preferable to sending them via SMS since the latter is susceptible to SIM swapping attacks. However, we now see that malware writers have figured out ways to render Google Authenticator insecure, as they can steal one-time codes and bypass the user’s 2FA protection steps.

Cerberus made its appearance back in August 2019, as malware for rent. Even from its humble beginnings, it featured advanced obfuscation, anti-deletion, and anti-analysis systems, and was able to mimic a large variety of banks from around the globe. Researchers at ThreatFabric have been following the Trojan closely, sampling new iterations and trying to find out what new features are added. According to the same team of analysts, the developers of Cerberus are not promoting their software’s ability to steal OTPs on darknet forums yet, and the only samples that can do it are used for testing and refinement right now. This means that OTP-stealing versions of Cerberus are not for offer yet.

In addition to stealing the 2FA tokens from Google Authenticator, the code refactoring has also added the ability to steal screen-lock credentials such as the user PIN or the swipe pattern. Besides that, it comes with enhanced RAT (remote access) features, and updates in its C2 communication protocol. The RAT service now supports the launching and setting of TeamViewer connections, as well as the direct downloading of data from the device’s filesystem. To do all of the above, the Trojan will need access to the “Accessibility” permissions, which it abuses as required.

If you are using banking services right from your mobile phone, remember, malware like Cerberus can push overlays that look exactly like the real thing. Moreover, Cerberus and Anubis are using your device’s pedometer to figure out when you’re moving, and activate only when you're on the go. You won’t find their icon on the drawer, but you will be prompted to grant permission to use the Accessibility Service. Once you do that, Cerberus will grant itself whatever other permission it needs, so be careful when you’re met with a request of this type.

REVIEW OVERVIEW

Latest

Microsoft Launches a Redesigned Notepad for Windows 11

The redesigned Notepad for Windows 11 is now rolling out to Windows Insiders. In its new design, Notepad is aligned with the new...

Instagram Reveals New Tools to Keep Teens Safe, Including Parental Controls

Instagram announced its intent to take a 'stricter approach' regarding the content it shows to teen users. As part of Instagram's new tools,...

Microsoft Seizes Chinese-Based Hacker Group’s Websites

Microsoft has taken down several websites used by the China-backed hacker group called Nickel.The seized websites were used to gather information from...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari