A Malware Called Cerebrus Can Steal Google Authenticator 2FA Codes From Android Devices
Last year, Chinese hackers successfully managed to bypass 2FA by generating seemingly 'genuine' codes. The underlying process was long-winded and relied on several existing vulnerabilities in enterprise software. An exploit going by the name of Cerebrus can reportedly steal authentication codes, rendering 2FA useless. It was discovered earlier last year by security research firm ThreatFabric. Its ability to steal 2FA codes, however, is a recent addition to the program.
Google Authenticator is Google's replacement for SMS-based 2FA codes. It is ideal for when you need to sign into a 2FA-enabled account in an area without network coverage or in a device that lacks a SIM card. It also bolsters security, as the codes are generated locally, effectively protecting it against any interception.
Cerebrus can steal 2FA codes from Google Authenticator
Cerebrus was a fairly benign piece of malware back when was discovered in July 2019. It is a successor to the popular Trojan Anubis that ceased to exist sometime in 2018. It has all the features of standard banking malware such as overlay attacks, SMS control, contact list harvesting, keylogging, and more. However, it lacked the ability to control a device remotely, something that got added fairly recently. Cerebrus' developers even advertised the malware on Twitter.
The latest version of Cerebrus leverages its ability to control a device remotely to perform a host of new functions. It can now steal information such as screen unlock credentials and 2FA codes generated by Google Authenticator. Once the application is found to be running on an infected device, Cerebrus can get access to its user interface and send the information back to a designated server.
ThreatFabric notes that these new functionalities haven't been advertised in the usual channels. It is likely that this feature is still in the works and will be baked into a future version of the malware. Since it has complete control over a device, it can also steal 2FA codes from other authenticator apps, and even from your email or SMS inbox. You can read more about Cerebrus and its capabilities here.