New research from the security company ThreatFabric reveals some concerning developments in the shady world of mobile malware. The Cerberus banking malware has received notable upgrades from its creators. The malware now has RAT (Remote Access Trojan) capabilities which can unlock a set of “features” for those that opt to use it. By abusing the Accessibility services, the malware can record user’s unlock credentials such as users PIN or swipe pattern.
Stealing OTPs Generated Through Google Authenticator
As some of you asked in the past, yes, Android malware can possibly steal Google Authenticator’s 2FA codes by misusing accessibility services
Here is one of the first attempts to create such functionality in Cerberus Banking Trojan
— Lukas Stefanko (@LukasStefanko) February 27, 2020
What’s also worrying, is that even Google Authenticator’s 2FA codes can be stolen by the malware. Google Authenticator is a popular app allows users to easily add an extra security layer.
According to the report, the upgraded Cerberus malware can even set up a TeamViewer link so that the hackers can comfortably operate the victim’s phone when it’s not being used. That means text messages, social media accounts and photos are all exposed as well.
ThreatFabric researchers believe the Cerberus trojan will most likely use this feature to bypass Authenticator-based 2FA protections on online banking accounts, but there’s nothing stopping hackers from bypassing Authenticator-based 2FA on other types of accounts.
What Measures Can be Taken by App Developers?
What we all know, is that hight value apps cannot rely on OS security features alone. Accessibility services on Android are currently one of the weakest points of the operating system from the security standpoint.
So, to make sure your app is secure, a piece of good advice is to protect it with advanced In-App Protection capabilities. Promon SHIELD™ protects your apps against shady malware that aims to steal sensitive user data from your apps by abusing the accessibility services.