Flaw That Allows a Malware to Steal 2FA Codes from Google Authenticator Could Have Been Fixed Long Back

The issue with Google Authenticator allowing screenshots was flagged way back in 2014.

By Darab Mansoor Ali | Updated: 9 March 2020 14:19 IST

Highlights

Cerberus malware take screenshot of Google Authenticator using RAT
Screenshots can be blocked using a simple FLAG_SECURE command
The issue was first flagged to Google in 2014

Flaw That Allows a Malware to Steal 2FA Codes from Google Authenticator Could Have Been Fixed Long Back

Google Authenticator was launched in 2010, as a safer alternative to sending OTPs over SMS

Last month, a Dutch cyber-security firm ThreatFabric discovered the first-ever malware that could hack Google Authenticator application to extract one-time passcodes from a user's device by taking a screenshot of a user's screen with Google Authenticator open. The malware, named Cerberus, was under development when it was found and the ThreatFabric report did not find any real-world attacks using the malware. Now, a new research has looked into the malware's ability to access the content on a user's screen. It says that this can be easily prevented by using a simple FLAG_SECURE command that prevents any attacker from gaining access to the user's screen content.

The new research from Night Watch Cybersecurity says that many Android applications with higher security requirements also use the FLAG_SECURE protocol. Night Watch Cybersecurity also filed a bug report with Google, which then filed an internal bug. They say that Google has not informed if the bug has been fixed, and that their internal tests reveal that the bug is still present, hence attackers can still take the screenshot of Authenticator on a victim's phone.

The report says that a Github user had flagged the issue way back in 2014. Nightwatch also says that they themselves flagged the issue to Google's security team earlier in 2017 as well. However, all they got was a bounty response the next day. The report also said that the Microsoft Authenticator also comes with the same flaw. Despite them blogging about it in 2018, the issue still remains in the Microsoft application.

The Cerberus malware is a new Android banking trojan that surfaced in 2019. It is a hybrid between a banking trojan and a remote access trojan that allows the attacker to generate OTPs on a victim's Google Authenticator app and take screenshots of the code using the Remote Access Trojan (RAT). It uses a simple technique of taking screenshots of the Authenticator app's interface, the ThreatFabric report had said last month.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.