“Cerberus” Android Banking Trojan Can Now Steal Google Authenticator’s 2FA Tokens

By Bill Toulas / February 27, 2020

A new version of the “Cerberus” Android banking trojan has the capacity to steal one-time codes used in two-factor authentication steps. These codes on Android are generated by “Google Authenticator”, and the whole point is to protect various online accounts from being taken over by hackers. Generating these 6 or 8-digit passwords locally on the device is preferable to sending them via SMS since the latter is susceptible to SIM swapping attacks. However, we now see that malware writers have figured out ways to render Google Authenticator insecure, as they can steal one-time codes and bypass the user’s 2FA protection steps.

Cerberus made its appearance back in August 2019, as malware for rent. Even from its humble beginnings, it featured advanced obfuscation, anti-deletion, and anti-analysis systems, and was able to mimic a large variety of banks from around the globe. Researchers at ThreatFabric have been following the Trojan closely, sampling new iterations and trying to find out what new features are added. According to the same team of analysts, the developers of Cerberus are not promoting their software’s ability to steal OTPs on darknet forums yet, and the only samples that can do it are used for testing and refinement right now. This means that OTP-stealing versions of Cerberus are not for offer yet.

In addition to stealing the 2FA tokens from Google Authenticator, the code refactoring has also added the ability to steal screen-lock credentials such as the user PIN or the swipe pattern. Besides that, it comes with enhanced RAT (remote access) features, and updates in its C2 communication protocol. The RAT service now supports the launching and setting of TeamViewer connections, as well as the direct downloading of data from the device’s filesystem. To do all of the above, the Trojan will need access to the “Accessibility” permissions, which it abuses as required.

If you are using banking services right from your mobile phone, remember, malware like Cerberus can push overlays that look exactly like the real thing. Moreover, Cerberus and Anubis are using your device’s pedometer to figure out when you’re moving, and activate only when you're on the go. You won’t find their icon on the drawer, but you will be prompted to grant permission to use the Accessibility Service. Once you do that, Cerberus will grant itself whatever other permission it needs, so be careful when you’re met with a request of this type.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: