Security analysts claim that a relatively new Android malware can now extract one-time passwords (OTP) generated by Google's authenticator app. The Google Authenticator app was launched in 2010 as an alternative to SMS-based one-time passcodes, and is used for two-factor authentication (2FA) for various Google apps and services such as Gmail and YouTube. Google has not released any statements in response to the claims made by the analysts in the report.
According to ThreatFabric, the team has found an Google Authenticator OTP-stealing capability in recent samples of Cerberus, the Android banking malware that first emerged in June 2019. However, it was also pointed out that the malware is likely to be not live as no advertisements were made in underground forums.
"We believe that this variant of Cerberus is still in the test phase but might be released soon. Having an exhaustive target list including institutions from all over the world, Cerberus is a critical risk for financials offering online banking services," analysts said.
Despite this, the note also pointed out that Cerberus should not be taken lightly, as it includes the capabilities of remote access trojans (RATs), an advance class of malware. This malware can even pose serious threats to online banking services.
To use Google Authenticator, a user is required to download the app from the respective app store of the device. Instead of receiving a text message from the operator as typically seen in 2FA, the app displays six to eight-digits-long unique codes that users must enter while trying logging into an account. Find all the relevant information about the Authenticator app here.
As pointed out in the beginning, Google has not issued statements over the concerns. However, the Alphabet-owned tech giant might likely be working on updates regarding its authenticator app as no cases of breach of this nature were earlier reported. We've reached out to Google for a statement, and will update this space if we hear back.