Detecting Android malware can easily steal OTP code without the victim knowing

International security experts have recently discovered an Android malware variant that can extract and steal one-time-use passwords (OTP) created through the Google Authenticator application.

This malware is called Cerberus - a relatively new banking trojan, first discovered in 2019, specializing in 'parasites' on Android, and especially possesses a special talent that makes it dangerous: Possibility of stealing OTP Authenticator.

Compared to last year's version, the current variant of Cerberus possesses some significantly more advanced capabilities. After successfully infiltrating the victim system, it can abuse access privileges to steal 2FA code, collect data from the Authenticator application and send it to the server controlled by the attacker.

If you don't already know, Authenticator is a 2-step verification code (2FA) device on your phone, launched in 2010 as an alternative to traditional one-time verification codes based on traditional SMS. Authenticator provides a better layer of security for users' Google accounts by requiring a second verification step when signing in. In addition to the password, you will need the code generated by the Google Authenticator app on your phone. After the account setup and linking steps, Authenticator will generate 6-8-digit OTP codes and provide them to users when they log into their respective accounts.

Detecting Android malware can easily steal OTP code without the victim knowing Picture 1

So how can this new Cerberus variant steal information from the Authenticator. Experts have found a range of features typical of the advanced remote access trojan (RAT) exist on this malicious code.

1. It can connect remotely and automatically to an infected device.
2. It can collect and use victims' information and data to access their online accounts - a major threat to online banking services, email, archives, transmission accounts. social media, intranet, etc.

However, the 2FA code theft feature is not yet available in the Cerberus version currently being advertised and sold on hacked forums. Security researchers therefore believe that this new Cerberus variant is still in beta, but it is likely to be released soon.

Google has not provided any feedback on the information, but the security patches for Android in general and the Authenticator application in the near future must contain a 'definite' solution to malicious code. this.