Android malware Cerberus can steal Authenticator codes from Google

Cerberus online banking trojan can steal one-time passcodes (OTP) generated through Google Authenticator, by bypassing 2FA (two factor authentication) protected accounts. It’s a new Android banking trojan launched in June 2019 believed to be an elite class of malware with features similar to remote access trojans (RATs).

Google’s 2FA and Microsoft’s App are considered safer compared to SMS for receiving authentication codes, but by abusing the accessibility privileges, Cerberus can now steal 2FA codes from Google’s Authenticator application. 

Advanced RAT features allow threat actor to remotely connect to an infected device, and access an online banking account using the code-stealing capability to bypass 2FA protections on the account.  This feature of Cerberus may most likely be used to bypass2FA Protection on online banking accounts, but it can also be used to bypass 2FA on other type of accounts.

As per ThreatFabric team, Cerberus strain is believed to be in heavy testing phase and will be released soon. This gives Google time to secure Authenticator and Android against such attacks.