Last month, a cybersecurity firm discovered the first-ever Android malware that came with the capability to steal the 2FA (two-factor authentication) codes generated by the Google Authenticator app.
The malware, discovered by researchers from ThreatFabric, was named Cerberus, and its 2FA OTP code-stealing feature was still under development, yet to have been detected in a real-world attack.
According to researchers, the malware was a hybrid between a banking trojan and a remote access trojan (RAT). Once an Android user got infected, the hacker would use the malware’s banking trojan features to steal credentials for mobile banking apps.
If an account was protected by 2FA, and namely by the Google Authenticator app, the malware was designed to allow the Cerberus gang to connect to a user’s device manually, via its RAT features. Hackers would then open the Authenticator app, generate one-time passcodes, take a screenshot of the codes, and then access the user’s account.
ThreatFabric’s discovery was a significant one. Not only was Cerberus the first-ever Android malware that was stealing one-time 2FA codes, but it was also doing using a simple technique — by screenshotting the Authenticator app’s interface.
No FLAG_SECURE protections
In research published this week, researchers from Nightwatch Cybersecurity delved deep into the root cause that enabled this attack, namely that the Authenticator app allowed its content to be screenshotted in the first place.
The Android OS allows apps to protect their users by blocking other apps from screenshotting their content. This is done by adding a “FLAG_SECURE” option inside the app’s configuration.
Google did not add this flag to Authenticator’s app, despite the fact that the app was handling some pretty sensitive content.
Nightwatch researchers said that Google could have fixed this issue as early as October 2014, when this misconfiguration was first brought to its attention by someone on GitHub.
Furthermore, Nightwatch researchers raised this very same point again in 2017, when they reported the same issue to Google’s security team.
In addition, they also found that Microsoft’s Authenticator app for Android also featured (and still features) the same misconfiguration that allows its screen to be screenshotted.
“Flag prevents other apps to take screenshot or record screen,” Lukas Stefanko, one of ESET’s leading mobile malware analysts, told ZDNet earlier today when we asked him to review the report.
In light of the ThreatFabric report, many users, security researchers, and ZDNet’s own Adrian Kingsley-Hughes, have argued that it may be time to move on from Authenticator to other 2FA OTP code-generating apps, or even to more secure 2FA authentication methods like hardware keys.