If you frequent the World Wide Web, then you’ve probably seen the message, “Enable Two-Factor Authentication” (2FA) prominently displayed on a number of Sites that have a login system.
But security experts have now pointed out that an Android malware strain will soon be able to extract & steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that’s used as a two-factor authentication (2FA) layer for Online accounts.
2FA relies on 2 things to work:
- That only the user knows the password
- That the authentication token resides on his/her device
Therefore, you need something you know (your password) & something you’ve got (your device) in order to control your accounts. A few hackers may have both.
Apps such as Google & Microsoft Authenticators, generate & store tokens, usually in 8 digits, which ensure that only you have access to your accounts. This system supposedly makes it difficult to hack accounts, unless a hacker steals your phone. However, there appears to be another way around this, & although Google & Microsoft were alerted to the problem as far back as 2014, neither saw it fit to issue a fix.
These apps allow a screenshot to be taken of their screen’s contents. Till recently this was not a very major issue. But researchers from the Ducth company ThreatFabric recently uncovered an Android malware called, “Cerberus”, which is classed as both Remote Access (RAT) & a banking Trojan. It can invade a device & take a screenshot of Google Authenticator, effectively gaining access to the user’s most vulnerable apps, such as banking apps or bitcoin wallets.
To inhibit screenshot taking within sensitive apps, a protocol known as FLAG_SECURE should be enabled, but this is missing in both Google & Microsoft’s 2FA apps. Now, with this new malware, banking apps might find their entire system insecure, & users could find their data & information compromised.
Fortunately, Cerberus is still in the “testing” stage, according to ThreatFabric, but the latter believes that the actors behind the malware are testing heavily so that they can go “live” in the near future &, possibly, sell the hacking tool to the highest bidder, according to reports.
But, hopefully, warnings posted by ThreatFabric, along with several reports to Google & Microsoft, will give them time to fix the flaws, & save their clients.
In the meantime, for users, it’s best to err on the side of safety & use an app such as Auth that does all the things Google & Microsoft’s apps do, but it’s very safe, does not allow screenshots to be taken, & even works on multiple devices, so losing your phone won’t get you locked out of your accounts.
