Malware can steal Google Authenticator 2FA codes from Android Devices

Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that’s used as a two-factor authentication (2FA) layer for many online accounts.

Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user’s smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.

Unfortunately, a new form of Android malware is capable of stealing 2FA codes from Google’s app, according to a report by security firm Threatfabric (via ZDNet). According to the report, a variant of the Cerberus banking trojan emerged with this ability in January 2020.

“Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C2 [command and control – ed] server. Once again, we can deduce that this functionality will be used to bypass authentication services that rely on OTP codes,” reads an excerpt of the report.

Threatfabric notes that the new malware feature isn’t being advertised on underground forums just yet, suggesting that this capability is still in testing. The firm says it still presents a major threat to online banking services though. But this could also be a massive threat to other accounts and services that use 2FA, such as email, Google accounts, and more.

Two-factor authentication apps like Google Authenticator are generally considered to be more secure than SMS-based 2FA. Two factor codes via text message can be intercepted, and there have indeed been numerous cases of SIM swap fraud that allows criminal actors to gain these codes.

Nevertheless, we hope to see Google shore up Android’s defenses against this malware, as it likely affects other 2FA apps as well.