Cerberus malware has a feature that extracts single-use codes and sends them to an external server. Proof that the smartphone is not the best place for strong authentication.

Strong authentication by SMS, as we know, is no longer highly recommended, because hackers have the means to intercept them. This is why banks are gradually abandoning this type of technology in favor of single-use codes generated by mobile applications. But that solution is not necessarily ideal either, as a report by ThreatFabric shows.
The company recently got their hands on a new version of the Cerberus Trojan, capable of stealing code generated by Google Authenticator, one of the most popular applications in the area of ​​strong authentication.
By abusing accessibility privileges on Android, this malware can extract codes from the application’s graphical interface and send them to an external server.

Launching the Google Authenticator app is not a big deal, as Cerberus integrates TeamViewer, the famous remote control software used by IT maintenance departments. This allows you to install and launch any application on the phone. Beforehand, it will obviously be necessary to recover the unlock code of the device. That's good, Cerberus has a function that generates an "overlay" on the unlock screen, that is to say a graphical interface that overlaps without this being seen. When the user enters his code, he is intercepted by the hacker.

Google Authenticator is not used by any French bank to our knowledge. Establishments prefer to integrate the generation of single-use codes - or simple validation with an OK button - directly into their mobile applications. But nothing prevents us from imagining a Cerberus variant tailor-made for these dedicated applications.

This fairly sophisticated malware shows that the smartphone is not necessarily the best choice for generating a second authentication factor. If the device is infected with a Trojan horse, strong authentication security is worthless. This is why it would be better to use security keys, such as those offered by Yubico or Google, with the Titan. This material is impossible to hack and therefore offers much better security. Banks still need to integrate them into their access technologies.

Source: ThreatFabric

Younes Derfoufi

Leave a Reply