Bitcoin Forum

It seems 2FA authentification is not totally safe anymore.

A new malware called Cerberus now targets Android-based smartphones by stealing passwords provided by the Google Authenticator app, a new cyber-security report by ThreatFabric states.

As reported by the research group, Cerberus can do something that very few other Trojans are able to – mess with the Google Authenticator app and steal its one-time codes which are often used to secure access to Bitcoin wallets or accounts on digital exchanges.

Until now, this Google app was believed to be the best protection, much more efficient than SMS-based security codes.
https://u.today/bitcoin-btc-wallets-may-be-in-danger-as-new-trojan-compromises-google-2fa
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

Although it's not perfect (https://bitcointalk.org/index.php?topic=5223873.0), Aegis can be a good alternative. There's quite a review here: https://bitcointalk.org/index.php?topic=5192978.0
I'm using it for some months now.

The difference is that Aegis keeps its data password protected and can be exported/imported too.

I don't know how much trust able your source is. That article have no strong point or source that can say it's a believe able news. So i'll take it as a hype news until Google confirm about that. But if this is happening then many users are going to be suffer whom use Google 2FA app for their security. And i don't think there is any crypto related person whom don't use this app. According to google play store (https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=bn) around 10M+ people use this app. So hope we'll know more details about it in very short time.

If this true! Which I doubt, then user using Google authenticator are no more safe now. I personally use it for all my crypto transactions.

I have heard a lot about Authy as an alternative to google authenticator but never tried it. It is better to wait for an official announcement from Google before coming into any conclusions.

OMG! this is serious   :( i thought google authentication was one of the best ways of securing your crypto accounts and wallets but this does not seem to be the case anymore. Anyway, how does this actually get to spread. Does this malware spread through any network or these hackers can send it through your mail or probably they can embed it in any other google app for users to download without their knowledge.
I believe if we can know how exactly this is spread we can avoid catching this malware in the first place.

But one should also understand that ,
How does Virus enter the mobile ?

 *Clicking any unknown link
 *Going on any unknown website
 *Downloading something from a site you barely know about
 *Using things to download app other than Google play
 
Etc.

It's very basic , if you stay clear of all these things , you won't have any problem with this Virus.

Apparently, it's not totally safe for a variety of reasons. Honestly, I thought that it was a great method to protect my funds, but these days I am starting to rethink it. This malware is one thing, but there's also the infamous SIM Swapping of which you've probably heard, and it also compromises the 2FA. I guess we can never be completely safe, every method has its risks. For instance, in the case of super safety from the outer world, there's a danger of losing the essential info to open a wallet which to me seems even more realistic than getting hacked, to be honest.

Since exchanges are already so centralized and do KYC, I think they should behave more like banks and add more security checks to users operations. This is usually done via algorithmically assessing risks, and when needed, requesting additional input from the user (sending sms, email, delaying transactions, manual verification, etc.). Yes, this is ugly, and against the spirit of the crypto, but exchanges are already so far from how people imagined crypto will be used, so this measure will do more good than harm.

I was actually doubting the OP since I thought the news is fake but then I thought of searching it on google.
What an irony, searching about google on google, lol  ;D
Anyway, the top 3 results were

Android malware can steal Google Authenticator 2FA codes (https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/)
Google Authenticator Is Vulnerable To Android Malware, Can Steal 2FA Codes (https://in.mashable.com/tech/11818/google-authenticator-is-vulnerable-to-android-malware-can-steal-2fa-codes)
2FA apps like Google Authenticator reportedly vulnerable to malware snooping (https://www.androidpolice.com/2020/02/28/2fa-authenticator-apps-malware-snooping/)

Just enter in google search " google authenticator vulnerability " and look for yourself
I guess the news is actually true.

Wow, even this authenticator is suffering

I stopped using Google's 2fa because it's very risk if you lose your smartphone or android corrupts...now I use Authy, it's way better than Google's, and if you lose your device, you have a master password to recover, and you can use on PC, Laptop, Smartphones...

I agree. There should be some form of new checks that exchanges should do in the event of a new device signing in on the account. Such practice would potentially avert any hacks or account hijacking that would be done the hackers, and is actually a good measure of imposing security to the user's accounts. I know that some exchanges are already doing this, and should do it even more so as to mitigate the damage done or at least lessen the affected users on the exploit.

Good thing my banks use SMS 2FA for a one-time passcode, though I think it's only a matter of time before hackers breach into that area of security, too.

I think this is one of the best security ones that can do since it is hard for hackers to access both the 2fa and our mobile sim number to get the password for the account they intended to hack.  We can add another layer of protection by email verification code.

I wonder if the news about 2fa being compromised is true, haven't heard any reaction from Google about this rumor, if it is true then google would be fast enough to react on this and notifiy their users about the incident.

It is times like these you feel good for using IOS instead of android. I am not saying IOS is completely superior but it being a closed box makes things harder for the hackers without a doubt.

hardware 2fa like this is probably better than both
https://www.yubico.com/

From the security researchers who disclosed the exploit (https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/):


Is the attack only effective against targets who are running Authenticator and inputting passwords on the same [Android] device? See here:


If you isolate the device you use to access an exchange from the device providing OTP codes, you should be in the clear, right?

Yes of course, but I don't think many hackers would care about your OTP codes if they haven't steal your password before.   :-\

The closed-source nature of iOS makes everything worse imo. I'd rather go for an open source OS although it comes with vulnerabilities. In fact, nothing is 100% exploit-proof in the technology area as we've seen. There's always gonna be a little room for some exploit(s) to come in.

Nobody should be logging into their accounts and generating OTP codes from the same device. That would render your device a single point of failure, which defeats the purpose of 2FA. Doing so from an Android device -- which are known to be highly vulnerable -- increases the risks all the more.


Password, 2FA, and email verification should be enough to authorize irreversible withdrawals. That's 3 different systems that need to be compromised. If users employed proper isolation, such a compromise would be incredibly unlikely.

People should take this opportunity to improve their 2FA protocol -- isolate your device usage. Also, stop using Androids for anything security sensitive at all.

Technically, iOS is one of the most superior mobile operating systems there is currently, and nothing can top the security that they are giving to their users atm. Though again, at some point in time, there will be vulnerabilities and exploits that will be found on the said operating system which would make it somewhat insecure. For the meantime, if the FBI and NSA can't do jack shit on the said operating system with their top dogs, how could other hackers fare?

Sometimes, limitations on what one can do to its device offer a better deal, too.


Not really, SMS 2FA is more prone to MITM attacks (https://securityintelligence.com/whats-wrong-with-sms-authentication-two-ibm-experts-weigh-in-on-the-nist-recommendation/) than any other 2FA methods out there, so it's really hard to bank hard on this type of 2FA, too. I forgot to mention that aside from an SMS 2FA my bank sends me, they would also ask for an email 2FA to make it even more secure. Hassle, yes, but we're talking about money in here so it's all fine by me.


Based on what they reported, yes. In order for the said exploit to work, your device on the OTP codes must be the same on where you log in, otherwise account hijacking won't work.

No way. I have a lot of accounts with 2FA, almost all of my accounts have it. This is just alarming, never thought that it would be breached like that. Most of the sites offer this as a security, and if this happening a lot of accounts will be hacked so easily since that is the first thing you will put when you log in. I will be removing mine now and renew my passwords.

lol this is something i've been saying for years, * 2fa password schemes are some bullshiT\_@@_/reeeee

I might have to stick with your point as of the moment since google hasn't confirmed anything yet from this so-called 2FA virus in Google Auth. Android viruses aren't just so effective unlike in the windows OS viruses, although viruses are still virus that can cause a problem to our phone especially if we randomly download an unsafe website for the said apps that you want.

I didn't read your article, but I still 2FA is still very safe to used compared to leaving your exchange or wallets without any form of protection. What is needed if just for 2FA to have more security in third software development.

You don't have to remove it. Do you really think Google Authenticator, a software developed by Google is totally vulnerable to the new virus forever? Of course Google is going to take some steps and put on some patches to make sure that Google Authenticator is safe from all kinds of attack.
Like I said, you don't have to remove authenticator. Just make sure you keep your phone protected and be careful when surfing the internet or downloading files. As long as you don't get your phone infected, you will be safe.

There’s no safe anymore to the hackers, they are working hard to crack every security codes that we have. 2FA is the best so far but if there’s a confirm hacking incidents on this security then people will panic. I hope google will improve the security of 2FA and hoping that android system will become more secure as well, a lot of android users here for sure.

It's probably a mapping of the Coronavirus into standard programming. I wonder who mapped it this way, and let it loose at Google.

 ;D

Well, it's not just 2FA that has its own weakness. Passwords can be cracked, biometrics can be spoofed and so forth.

At least 2FA adds one layer of security through our phones/ emails.

Can this be true, I recently couldn't login to an exchange I secured with 2fa even as I still have them. I chatted the customer service and the account was reactivated, only to find out that some of my tokens have been moved out. Though not much but it was really painful

2FA is an ATTACK VECTOR  ::)  not an added layer of security.

Interesting news OP. Let me see if I can dissect it. First it will help to know how Google Authenticator works so we don't, you know, talk about a black box. The knowledge of the protocol of Google Authenticator is publicly known as there used to open-source versions of it. It is now a proprietary app but obviously it must be backward compatible with its older versions because a website using this protocol will needs to accept users using both of these clients. The Google Play Store app is the proprietary version of Authenticator.

I use One Time Passwords (OTPs) generated by Authenticator, with a QR code, to log into university computers so I have at least some knowledge of how Authenticator works.

(Lots of the following content was sourced from https://en.wikipedia.org/wiki/Google_Authenticator)

First of all, this is a vulnerability in Authenticator so it doesn't matter whether you use username/password or QR code to login.

Second, the way Authenticator works is that it takes a 80-bit secret key that a service creates (as I will explain below this is a big security hole) in the form of a base32 (A-Z and 2-7 characters) string, possibly wrapped inside a QR code. If you don't know base32 then all you need to know about it is each character like A, 2, etc. can store 5 bits of entropy so the string ABCDE234 contains 40 bits of entropy. So, it doesn't matter how the secret is imported into Authenticator, it's ultimately the same secret string.

Third, the secret key is passed along with a periodically changing number (Google Authenticator uses TOTP variant of OTP), such as:

This is why OTPs are valid for only 30 seconds or so. Both of these are passed into a cryptographic algorithm (HMAC-SHA1 to be precise) that creates a hash out of them. Then it's modulus'ed by 1000000 (mod 1000000) to get a six-digit code. The hashing algorithm itself was not broken.

Last, and most importantly, wallets that don't use Authenticator are safe. Authenticator is a mobile app, there is also a browser extension available. So all desktop wallets that don't route you through the browser extension or mobile app to authenticate are not affected by this. I don't know how many bitcoin websites (could be web wallet, cloud mining, whatever) use Authenticator, I know Oxbtc makes you scan a QR code to withdraw but you'd have to be logged in with username and password anyway.

Here is the official Google Authenticator codebase (at least the open source part): https://github.com/google/google-authenticator-android/
This is the part of the code that handles secret entry. Notice how MIN_KEY_BYTES has a value of only 10 i.e. 80 bits: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/EnterKeyActivity.java#L121-L126
And this is the part of the code that hashes the secret into a 6-digit code: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/PasscodeGenerator.java#L152-L163

Clearly these code snippets indicate that while Google Authenticator supports more bits, it foolishly sets the minimum to 80 bits despite strict requirements (https://tools.ietf.org/html/rfc4226#section-4) by RFC 4226 (yes OTP is an RFC standard) to use at least 128 bits and recommends 160 bits, double the amount that Authenticator-aware web services use. Remember that web services are the ones creating these very small keys, not Authenticator.

So while OTP authentication provides strong security if used properly, Authenticator tokens fall very short of the minimum security requirements, so they were never secure to use in the first place. Again though, Authenticator supports more than 80 bits, it's just the web services don't make more bits.

It's worth noting that other TOTP authentication software works with the same sites as Google Authenticator, but are only as secure as the length of the secret key that the web service gives it.

---

Now, about the vulnerability:

According to the security whitepaper buried in the article OP linked (https://www.threatfabric.com/blogs/2020_year_of_the_rat.html), this is an Android virus. It uses code specific to Android. This is not an iOS virus. And apparently this virus existed since Mid-January this year.


Definitely sounds like mobile phone malware to me. Note that the use of the word "screen lock". This is only applicable to phones not browsers, as if this was e.g. a Chrome vulnerability it would've been mentioned in the paper. So, this doesn't work for web browser extensions of Authenticator.

What about desktops? Well those are only as safe as the web browser is, as Authenticator for desktops lives in the browser as an addon. No Windows or Linux, or even Chrome or Firefox, vulnerabilities were detailed here so those parts should be safe.


Please don't conflate different types of 2FA together, especially since there isn't really a technical protocol that all 2FA methods use and so you can't say all of 2FA is compromised by a single vulnerability, like the one in the article. Again:

• Only Authenticator for Android is affected
• Other Authenticator platforms are safe from this (for now)
• Even though only Google Authenticator for Android is affected right now, other authentication apps might get targeted in the future. It's only been 6 months since the virus (called Cerberus) was updated with this.
• 2FAs that doesn't use OTP are safe from this

I wish the security company made available the part of the Cerberus code that intercepts the Authenticator 2FA tokens so we would have a clearer idea of what type of information is being stolen right now. Remember that viruses are slow to update they have to be patched at hacking forums for months.

---

That being said, there is a long list of flaws in SMS 2FAs and I would take OTP based 2FA over SMS 2FA any day. SMS 2FAs have no cryptographic strength over OTPs because the security of SMS 2FAs relies entirely on your carrier to not have telecom engineers who've been bribed by criminals to replace your phone number or intercept your SMS messages. Heck, famous people's accounts have been hacked by people who compromised SMS 2FA. it (https://www.indiawest.com/news/global_indian/pakistani-man-charged-for-bribing-at-t-staff-to-illegally/article_6ef1c892-c5e3-11e9-991b-4396abe4e842.html) is (https://www.nbcbayarea.com/news/local/mans-1m-life-savings-stolen-in-cell-phone-scam/192416/) very (https://timesofindia.indiatimes.com/city/bengaluru/many-bengalureans-lose-cash-to-sim-card-swap-fraud/articleshow/58387867.cms) easy (https://www.theverge.com/2018/2/5/16976114/tmobile-cryptocurrency-bitcoin-hack-security-breach-lawsuit) to (https://www.theverge.com/a/anatomy-of-a-hack) hijack (https://securelist.com/large-scale-sim-swap-fraud/90353) a (https://www.darkreading.com/endpoint/i-hacked-my-accounts-using-my-mobile-number-heres-what-i-learned/a/d-id/1336315) SIM (https://hackernoon.com/my-sim-swap-attack-how-i-almost-lost-dollar71k-and-how-to-prevent-it-tj39q3aju). The most damning part about SMS authentication is that mobile carriers don't do anything about this. (https://www.techdirt.com/articles/20180717/11513940252/wireless-carriers-have-sim-hijacking-problem-they-dont-want-to-talk-about.shtml)  (Think about it. It's their managers and employees, whose internal decisions can override a complaint you make about their services. That's how much security there is in SMS 2FA.)

And then there are notices like this: T-Mobile Is Sending a Mass Text Warning of ‘Industry-Wide’ Phone Hijacking Scam (https://www.vice.com/en_us/article/gy8bxy/t-mobile-text-warning-phone-hijacking-number-port-out-scam):

https://video-images.vice.com/_uncategorized/1517852442109-DU_a5z5VAAAGsZD.jpeg?resize=492:*

You know a security method is very, very insecure if the only counter-measure operators can take is warning people not to fall for it. This particular message reeks of generic lack-of-concern towards the users when there is a danger with catastrophic consequences going on. Reminds me of Facebook security notices sometimes.

---

Long story short, SIM 2FA is not secure, and the way OTPs are being used right now is not secure either (web services need to get their act together already). If you ask me I wouldn't use any 2FA until most web services make secret keys at least 128 bits long. I would use a BIP39 passphrase instead. I'm not a security researcher and don't claim to be one, I just thought I would clear up some of the misinformation in this thread.

P.S. link to the security whitepaper that's buried inside the article OP linked, in case you didn't see it above: https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

As it was mentioned in previous posts, the Google Play Store download count is more than 10 mln+. I doubt the malicious software or Trojan will handle the 60-second time limit for accessing the site unless the source code is extracted from the app. I have used Authy app and this app is more secure than Google's 2FA authentication app.

Thanks for explanation. Even there are services in Dark web talk about cloning the sim number after finding the latest signal coming from the database. The nearest data center signal is enough to hack the number and forward the incoming SMS. Horrible..

Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.

Honestly, this virus isn't a new story in the industry. Cerberus Android Malware is already been here since the month of June 2019.

The virus was being rented out in the black market last year. It caught the attention of the cyber authorities since then. I heard this malware is originally from Russia. It was also inspired by the malware called Anubis. Maybe they are related to this ransomware and maybe with the same developer.

If you really want a good security, you might try Authy as the alternative. Authy has encrypted backups you can take advantage of. IMO

It' very risky disabling the best protections as of now that we have if we are dealing with securities inside our important wallets online. though chances that it will be breached but updates will follow knowing the creator/developers of this system, it will be a challenge to google protecting those people who
believes in this application. for sure they've already been alarmed from this types of attacks and it will be updated the sooner.

Nothing in this world would really have that 100% security and everything can really be breached as long those hackers do exist.Loopholes are there so
it isnt really surprising for these kind of news but sooner or later they would really patch up that hole fast knowing that Google 2fa do have lots of users
and the developer team/google itself wont really make things worst that will give out bad impressions towards their app.

Cerberus never contained OTP 2FA exploits before. This is a new development. The new exploit also hasn't been found yet in the current versions of Cerberus floating around on the black market.


Cerberus is Android-specific. It's probably fair to assume that other Android authentication apps will be targeted in the future.

I would remove Android devices from your security setup. I would also avoid logging in to accounts from the same device you receive OTP 2FA codes from.

When you say the "source code", you're talking about the seed of the OTP codes?
I disagree with you, one minute is enough for hackers, moreover on some exchanges, the window is larger than that, OTP codes older than one minute still work...  :-\

This particular virus can only infect you if you swipe-unlock a fake lock screen on Android. I don't think it can infect you by opening a link, at least from the information I derived from the whitepaper.

This is the most important part on how to be infected. As you checked the whitepaper, can you confirm that all android app can be infected? Means if am using Authy not google authentificator, would Authy also be infected?
Usually, i don't enable screen lock so it will be strange for me to see that lock screen, but if it's not from link/download malware, how the virus can reach my device?

I read all the comments above but still find it hard to believe that the virus is out there since last June and google didn't announce about it as a potential high risk danger neither update its auth app with more security measures.

I don't think there is anything Google can update in Authenticator to stop this particular virus, it's not the weakness of the secret keys being exploited, it's Android itself being hacked. I think they should release a security update for android, and they probably will since this news is bubbling up in mainstream news outlets.

Now that I look at the whitepaper again, it says a lot of things about stealing Google Authenticator secrets, but after reading the other whitepaper at https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html (https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html), I see it can make other kinds of fake/phishing input screens, not just fake lock screens. This potentially lets it steal secret data from other apps like Authy. But the Cerberus botnet commanders (it makes a botnet) would have to be interested in stealing Authy secrets before making an "overlay" (fake screen) for that. I think the reason they decided to create a new whitepaper about Cerberus and Google Authenticator is that this new Cerberus can download anything from your filesystem and can make Teamviewer connections to android, so like a remote control. The old version can't do this. Also neither version can be uninstalled which is a common thing for viruses to implement.

https://i.imgur.com/J39eG9n.png

These screens are the old version of Cerberus. Old cerberus was released (made available for selling) in June 2019, New Cerberus was released January 2020. As you can see, it can also steal OTPs and other codes by presenting these fake login/data entry screens. My screenshot resolution is a little bad. I don't know how it does an "overlay attack" or if there is a way to tell whether a given screen is fake, but these screens were pasted from the whitepaper, as example fake screens that Cerberus is known to use. In both versions, some Flash Player screen is going to ask you for accessibility privileges in a dialog like this:

https://i.imgur.com/oSR5cUR.png

Don't give suspicious Flash Player-lookalike apps any permissions. Now would be a good time to reiterate, don't give any apps permissions that they don't need. If someone is foolish enough to give this app permissions, it will give itself even more privileges, and turn off Play Protect. Then it (both old and new Cerberus) will add your device to a botnet which can send these commands (pasted from the whitepaper):

Command	Description
push	Shows a push notification. Clicking on the notification will result in launching a specified app
startApp	Starts the specified application
getInstallApps	Gets the list of installed applications on the infected device
getContacts	Gets the contact names and phone numbers from the address book on the infected device
deleteApplication	Triggers the deletion of the specified application
forwardCall	Enables call forwarding to the specified number
sendSms	Sends a text message with specified text from the infected device to the specified phone number
startInject	Triggers the overlay attack against the specified application
startUssd	Calls the specified USSD code
openUrl	Opens the specified URL in the WebView
getSMS	Gets all text messages from the infected device
killMe	Triggers the kill switch for the bot
updateModule	Updates the payload module (Note: I think this updates the virus)

So you see they can just StartInject any app they want including other authenticators and bam - you get a fake phishing screen. If you're tech savvy then you can check any packages on your phone and make sure there aren't any with these SHA256 hashes:

App name	Package name	SHA256 hash
Flash Player	com.uxlgtsvfdc.zipvwntdy	728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f
Flash Player	com.ognbsfhszj.hqpquokjdp	fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329
Flash Player	com.mwmnfwt.arhkrgajn	ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c
Flash Player	com.wogdjywtwq.oiofvpzpxyo	6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4
Flash Player	com.hvdnaiujzwo.fovzeukzywfr	cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b
Flash Player	com.gzhlubw.pmevdiexmn	3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63

---

Edit: some more Cerberus hashes:
c3adb0a1a420af392de96b1150f0a23d8826c8207079e1dc268c07b763fe1af7
4ff95cadf83b47d1305f1deb4315e6387c4c0d58a0bdd12f74e866938c48baa5
9d4ce9cce72ec64761014aecbf1076041a8d790771fa8f8899bd3e2b2758281d

---

Confirmation that they are targeting cryptocurrency services that we use:

https://i.imgur.com/eajpOj2.png

Always better to have knowledge of what viruses do so we know what to expect from them, right?