Android malware "Cerberus" might be able to grab your Google Authenticator 2FA codes.

[Questargon]

According to ZDNet there is a malware currently in development that can grab screenshots from your Google Authenticator to get access to its 2FA codes.

 

Article: https://www.zdnet.com/article/google-could-have-fixed-2fa-code-stealing-flaw-in-authenticator-app-years-ago/

 

"This malware called Cerberus has this feature currently under development" - Researchers from "ThreadFabric" discovered. But it might not be long until it is out in the wild. The core feature that allows this attack (except from being infected with the malware in the first place - DOH) is the capability to take screenshots of Google Authenticator - a feature that Android itself has a flag for to prevent this from happening. Google just never applied this flag to the Google Authenticator (facepalm). The best part is, that Google was informed about this bug back in 2014 and didn*t fix it yet (double facepalm).

 

See here: https://wwws.nightwatchcybersecurity.com/2020/03/03/google-authenticator-for-android-allows-screen-capture/

 

I hope Google fixes this bug now that the impacts are getting closer. It does not protect you from all harm that can be done by hackers when they successfully installed malware on your Android device, but it will make it harder for them and maybe mitigate some of the damages they can do.

 

EDIT: More on that topic from ZDNet: https://www.zdnet.com/article/using-google-authenticator-heres-why-you-should-get-rid-of-it/

Edited March 9, 2020 by Questargon
Additional ZDNet article

[TempestCatto]

I bet it was those damn Huawei spies again! Rotten bastards, can't trust anyone from China these days..

[FakeCIA]

Damn. Now they'll get all my passwords to the nukes I have in the basement.

 

Seriously, though, you shouldn't have an issue unless you are just clicking on random stuff online. Most of these hacks require an entry point created by the user themselves. Hackers don't do brute force unless they really want something and that can be rare. I only use brute force if I'm testing something on my own systems. It's a pain in the ass.

[TrigrH]

turn off data before using authenticator, fixed.

[mr moose]

I don't remember the google account I installed the authenticor on, so I can't get back to it,  suffice to say the codes it generated 5 years ago are still valid today anyway.  I have had serious doubts as to the security of authenticator since then anyway and don;t use it for anything else as a result.

[hishnash]

This is they 2factor applications (even if they are on your phone) should be using crypto to encrypt the secretes in such a way that the phones security chip is the only chip that can decrypt them. It should then only request them to be decrypted (into memory) when needed to compute a 2factor code. 1Password does a good job of this.

[Ashleyyyy]

I use Authy... so I guess I'm safe?

[RejZoR]

1 hour ago, Twilight said:

I use Authy... so I guess I'm safe?

Probably for now. Though same rules apply, it's just that most ppl use Google Authenticator and things can be automated easier if you have same app to exploit or capture images of. Opposed to expecting some other slightly less popular like Authy to be present.

[Ashleyyyy]

15 minutes ago, RejZoR said:

Probably for now. Though same rules apply, it's just that most ppl use Google Authenticator and things can be automated easier if you have same app to exploit or capture images of. Opposed to expecting some other slightly less popular like Authy to be present.

you can protect authy with a pin, so apps can't just take screenshots of it. they can when you have it unlocked though... 

[paddy-stone]

Yeah, I have used Authy for a while now. Prefer it over Google's offering anyway.

[Xiee]

6 hours ago, Twilight said:

I use Authy... so I guess I'm safe?

I made the switch to Authy a couple of months ago. I'm hoping we're safe for now.

[Ashleyyyy]

10 minutes ago, Xiee said:

I made the switch to Authy a couple of months ago. I'm hoping we're safe for now.

well, my most important accounts are protected by SMS, so even if authy isn't safe either i can grab my old nokia 3310, put my sim in that and use that for 2-factor lmao

[RejZoR]

5 hours ago, Twilight said:

you can protect authy with a pin, so apps can't just take screenshots of it. they can when you have it unlocked though... 

The problem is when it gets unlocked...

[Ashleyyyy]

2 minutes ago, RejZoR said:

The problem is when it gets unlocked...

í said that literally in the post you quoted...

[Doobeedoo]

How do they fail so much.. 

[Questargon]

My tool of choice is "andOTP" for Android now.

[colonel_mortis]

9 hours ago, Twilight said:

well, my most important accounts are protected by SMS, so even if authy isn't safe either i can grab my old nokia 3310, put my sim in that and use that for 2-factor lmao

SMS 2FA also has a bunch of flaws, most notably SIM Swap. SIM swapping is far less of a problem for regular end users (that is, people who aren't being specifically targeted) because it requires the attacker to obtain the victim's phone number and socially engineer their network provider to provide a SIM card, but it is basically impossible for the victim to protect against it.

 

In this case, it does look like the malware is designed for more mass credential harvesting, so in that case I think it is fair to say that for the average person they would be marginally more secure with SMS 2FA. It mustn't be used to protect particularly valuable information or by anyone notable though, because it will get breached.

 

Basically, proper security is hard.

[Ashleyyyy]

5 hours ago, colonel_mortis said:

SMS 2FA also has a bunch of flaws, most notably SIM Swap. SIM swapping is far less of a problem for regular end users (that is, people who aren't being specifically targeted) because it requires the attacker to obtain the victim's phone number and socially engineer their network provider to provide a SIM card, but it is basically impossible for the victim to protect against it.

the providers here have more security to protect against that than elsewhere. it's not perfect, but it's a hell of a lot better usually. sometimes they send a code to your phone number to verify that it's really you trying to swap the number etc. again it's not perfect but it's better. as well as that I have the security notifications enabled on all my devices for all of those accounts, so if someone does get access to them I can immediately yeet them. 

[FakeCIA]

1 hour ago, Twilight said:

the providers here have more security to protect against that than elsewhere. it's not perfect, but it's a hell of a lot better usually. sometimes they send a code to your phone number to verify that it's really you trying to swap the number etc. again it's not perfect but it's better. as well as that I have the security notifications enabled on all my devices for all of those accounts, so if someone does get access to them I can immediately yeet them. 

Your location and providers you use don't necessarily offer better protection that anybody else. I'm in Arizona with AT&T and Mint Mobile. While both offer very good protection, AT&T even offers their own cybersecurity suite, they are just as fallible as others due to the human factor. SIM swapping/jacking is still a thing which is why I don't use my phone number for 2FA.

[Ashleyyyy]

2 minutes ago, FakeCIA said:

Your location and providers you use don't necessarily offer better protection that anybody else. I'm in Arizona with AT&T and Mint Mobile. While both offer very good protection, AT&T even offers their own cybersecurity suite, they are just as fallible as others due to the human factor. SIM swapping/jacking is still a thing which is why I don't use my phone number for 2FA.

I mean, the thing is that I've never heard of it happening here, even to important targets like celebrities.

[FakeCIA]

1 hour ago, Twilight said:

I mean, the thing is that I've never heard of it happening here, even to important targets like celebrities.

The general media don't always report things like that because they deem it unimportant or something that won't make money, unless it's Ryan Reynold's phone number. The best sources to learn about how common these scams or breaches are, in the USA, are the Federal Bureau of Investigation, the Secret Service, and the Department of Homeland Security. Scams like SIM jacking happen to hundreds of people every hour.

 

https://www.fbi.gov/investigate/cyber

https://www.secretservice.gov/investigation/#cyber

https://www.dhs.gov/topic/cybersecurity

Edited March 11, 2020 by FakeCIA
Added Official Websites

[Engineer.AI]

On 3/10/2020 at 5:08 AM, hishnash said:

This is they 2factor applications (even if they are on your phone) should be using crypto to encrypt the secretes in such a way that the phones security chip is the only chip that can decrypt them. It should then only request them to be decrypted (into memory) when needed to compute a 2factor code. 1Password does a good job of this.

I agree that there should be a better encryption method than the basic 2FA that we use anyways. This could amount to something more complex than the braindead-easy, but efficient 2FA process, which would upset a lot of the users at present.

1 hour ago, Twilight said:

the providers here have more security to protect against that than elsewhere. it's not perfect, but it's a hell of a lot better usually. sometimes they send a code to your phone number to verify that it's really you trying to swap the number etc. again it's not perfect but it's better. as well as that I have the security notifications enabled on all my devices for all of those accounts, so if someone does get access to them I can immediately yeet them. 

This point bears repeating. Whatever the encryption process, the final say should be with the user, and not anybody else!
~Engineer.AI