Last month, a Dutch cyber-security firm ThreatFabric discovered the first-ever malware that could hack Google Authenticator application to extract one-time passcodes from a user’s device by taking a screenshot of a user’s screen with Google Authenticator open. The malware, named Cerberus, was under development when it was found and the ThreatFabric report did not find any real-world attacks using the malware. Now, a new research has looked into the malware’s ability to access the content on a user’s screen. It says that this can be easily prevented by using a simple FLAG_SECURE command that prevents any attacker from gaining access to the user’s screen content.
The new research from Night Watch Cybersecurity says that many Android applications with higher security requirements also use the FLAG_SECURE protocol. Night Watch Cybersecurity also filed a bug report with Google, which then filed an internal bug. They say that Google has not informed if the bug has been fixed, and that their internal tests reveal that the bug is still present, hence attackers can still take the screenshot of Authenticator on a victim’s phone.
The report says that a Github user had flagged the issue way back in 2014. Nightwatch also says that they themselves flagged the issue to Google’s security team earlier in 2017 as well. However, all they got was a bounty response the next day. The report also said that the Microsoft Authenticator also comes with the same flaw. Despite them blogging about it in 2018, the issue still remains in the Microsoft application.
The Cerberus malware is a new Android banking trojan that surfaced in 2019. It is a hybrid between a banking trojan and a remote access trojan that allows the attacker to generate OTPs on a victim’s Google Authenticator app and take screenshots of the code using the Remote Access Trojan (RAT). It uses a simple technique of taking screenshots of the Authenticator app’s interface, the ThreatFabric report had said last month.