New Cerberus Malware Found That Bypasses Google Authenticator

Google Authenticator Password Illustration AH

Security researchers at ThreatFabric have now discovered a new variant of Android-focused Cerberus malware that could bypass Google Authenticator entirely. The malware would accomplish that by essentially capturing and stealing the authentication codes from the app. Those codes are typically utilized as a secondary identifying measure alongside more standard passwords for a given account.

The new strain of Cerberus includes a number of alterations. Not least of all, it takes advantage of Accessibility permission in Android to access one-time codes generated by Google’s Authenticator app. It does that by gaining access to the content of the Android interface while Authenticator is running. That information is sent to a command-and-control server.

As a result, those codes can be used to access various accounts, even from a remote location without physical access to the device. That circumvents precisely the type of security that Google Authenticator is intended to provide.


What does the change mean for Cerberus malware?

Now, Cerberus is one of many different malware types found in Android. It’s primarily a banking trojan but can also access credentials for other types of accounts. It’s already fairly advanced. The addition of these remote access trojan (RAT) features would move it into a different class of malware.

That’s because there have generally not been many iterations of malware that have been able to surpass multi-factor authentication methods. More pertinently, Google’s Authenticator app doesn’t transmit the six-to-eight digit codes it generates. Those stay on-device, typically adding an additional layer of protection over standard SMS-based authentication methods.

The added ability to bypass that layer of security would make Cerberus particularly potent, placing it far apart from malware that has historically infected apps on and devices running Google’s mobile OS.


The new Cerberus malware isn’t a threat to Google Authenticator for now

For the time being, ThreatFabric reports that the new strain of Cerberus doesn’t appear to be live. In fact, it doesn’t appear to be available or even advertised via the web’s hacking forums. The implication, the researchers say, is that it is still undergoing testing. So while users should be aware of the threat, it isn’t a big problem just yet.

It may be possible for Google to act on the information and formulate a plan or solution that prevents the new strain from stealing the codes. That also shouldn’t be taken as a comfort for all users. The solution here would probably entail changes to permissions that prevent Cerberus from abusing those, to begin with. That would, summarily, require changes to the underlying Android system.

Whether any such change could be implemented via either a firmware or security patch update, isn’t immediately clear. Google wouldn’t necessarily be able to spread it out, regardless. Instead, it would fall to hardware OEMs and their respective update cycles. Those vary significantly, to begin with. Older devices wouldn’t automatically receive an update at all.


Conversely, Google could approach the problem by changing how and which apps can access Accessibility-related permissions.

That doesn’t bode well for Android users if ThreatFabric is correct about its likely release in the near future. That could leave very few alternatives for users who utilize multi-factor authentication.