A new virus is attacking Google 2FA app

[Oceat]

I don't know how much trust able your source is. That article have no strong point or source that can say it's a believe able news. So i'll take it as a hype news until Google confirm about that. But if this is happening then many users are going to be suffer whom use Google 2FA app for their security. And i don't think there is any crypto related person whom don't use this app. According to google play store around 10M+ people use this app. So hope we'll know more details about it in very short time.

I might have to stick with your point as of the moment since google hasn't confirmed anything yet from this so-called 2FA virus in Google Auth. Android viruses aren't just so effective unlike in the windows OS viruses, although viruses are still virus that can cause a problem to our phone especially if we randomly download an unsafe website for the said apps that you want.

[betty11]

I didn't read your article, but I still 2FA is still very safe to used compared to leaving your exchange or wallets without any form of protection. What is needed if just for 2FA to have more security in third software development.

[adzino]

No way. I have a lot of accounts with 2FA, almost all of my accounts have it. This is just alarming, never thought that it would be breached like that. Most of the sites offer this as a security, and if this happening a lot of accounts will be hacked so easily since that is the first thing you will put when you log in. I will be removing mine now and renew my passwords.

You don't have to remove it. Do you really think Google Authenticator, a software developed by Google is totally vulnerable to the new virus forever? Of course Google is going to take some steps and put on some patches to make sure that Google Authenticator is safe from all kinds of attack.
Like I said, you don't have to remove authenticator. Just make sure you keep your phone protected and be careful when surfing the internet or downloading files. As long as you don't get your phone infected, you will be safe.

[samcrypto]

There’s no safe anymore to the hackers, they are working hard to crack every security codes that we have. 2FA is the best so far but if there’s a confirm hacking incidents on this security then people will panic. I hope google will improve the security of 2FA and hoping that android system will become more secure as well, a lot of android users here for sure.

[BADecker]

It's probably a mapping of the Coronavirus into standard programming. I wonder who mapped it this way, and let it loose at Google.

 

[UserU]

lol this is something i've been saying for years, * 2fa password schemes are some bullshiT\_@@_/reeeee

Well, it's not just 2FA that has its own weakness. Passwords can be cracked, biometrics can be spoofed and so forth.

At least 2FA adds one layer of security through our phones/ emails.

[Nancyo]

It seems 2FA authentification is not totally safe anymore.

A new malware called Cerberus now targets Android-based smartphones by stealing passwords provided by the Google Authenticator app, a new cyber-security report by ThreatFabric states.

As reported by the research group, Cerberus can do something that very few other Trojans are able to – mess with the Google Authenticator app and steal its one-time codes which are often used to secure access to Bitcoin wallets or accounts on digital exchanges.

Until now, this Google app was believed to be the best protection, much more efficient than SMS-based security codes.
https://[Suspicious link removed]day/bitcoin-btc-wallets-may-be-in-danger-as-new-trojan-compromises-google-2fa
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

Can this be true, I recently couldn't login to an exchange I secured with 2fa even as I still have them. I chatted the customer service and the account was reactivated, only to find out that some of my tokens have been moved out. Though not much but it was really painful

[2020VISION]

lol this is something i've been saying for years, * 2fa password schemes are some bullshiT\_@@_/reeeee

Well, it's not just 2FA that has its own weakness. Passwords can be cracked, biometrics can be spoofed and so forth.

At least 2FA adds one layer of security through our phones/ emails.

2FA is an ATTACK VECTOR    not an added layer of security.

[NotATether]

Interesting news OP. Let me see if I can dissect it. First it will help to know how Google Authenticator works so we don't, you know, talk about a black box. The knowledge of the protocol of Google Authenticator is publicly known as there used to open-source versions of it. It is now a proprietary app but obviously it must be backward compatible with its older versions because a website using this protocol will needs to accept users using both of these clients. The Google Play Store app is the proprietary version of Authenticator.

I use One Time Passwords (OTPs) generated by Authenticator, with a QR code, to log into university computers so I have at least some knowledge of how Authenticator works.

(Lots of the following content was sourced from https://en.wikipedia.org/wiki/Google_Authenticator)

First of all, this is a vulnerability in Authenticator so it doesn't matter whether you use username/password or QR code to login.

Second, the way Authenticator works is that it takes a 80-bit secret key that a service creates (as I will explain below this is a big security hole) in the form of a base32 (A-Z and 2-7 characters) string, possibly wrapped inside a QR code. If you don't know base32 then all you need to know about it is each character like A, 2, etc. can store 5 bits of entropy so the string ABCDE234 contains 40 bits of entropy. So, it doesn't matter how the secret is imported into Authenticator, it's ultimately the same secret string.

Third, the secret key is passed along with a periodically changing number (Google Authenticator uses TOTP variant of OTP), such as:

the number of 30-second periods since the Unix epoch

This is why OTPs are valid for only 30 seconds or so. Both of these are passed into a cryptographic algorithm (HMAC-SHA1 to be precise) that creates a hash out of them. Then it's modulus'ed by 1000000 (mod 1000000) to get a six-digit code. The hashing algorithm itself was not broken.

Last, and most importantly, wallets that don't use Authenticator are safe. Authenticator is a mobile app, there is also a browser extension available. So all desktop wallets that don't route you through the browser extension or mobile app to authenticate are not affected by this. I don't know how many bitcoin websites (could be web wallet, cloud mining, whatever) use Authenticator, I know Oxbtc makes you scan a QR code to withdraw but you'd have to be logged in with username and password anyway.

Here is the official Google Authenticator codebase (at least the open source part): https://github.com/google/google-authenticator-android/
This is the part of the code that handles secret entry. Notice how MIN_KEY_BYTES has a value of only 10 i.e. 80 bits: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/EnterKeyActivity.java#L121-L126
And this is the part of the code that hashes the secret into a 6-digit code: https://github.com/google/google-authenticator-android/blob/efac95c88ef8d9f8be3c887fbcd2c2fdf4f45dbe/java/com/google/android/apps/authenticator/otp/PasscodeGenerator.java#L152-L163

Clearly these code snippets indicate that while Google Authenticator supports more bits, it foolishly sets the minimum to 80 bits despite strict requirements by RFC 4226 (yes OTP is an RFC standard) to use at least 128 bits and recommends 160 bits, double the amount that Authenticator-aware web services use. Remember that web services are the ones creating these very small keys, not Authenticator.

So while OTP authentication provides strong security if used properly, Authenticator tokens fall very short of the minimum security requirements, so they were never secure to use in the first place. Again though, Authenticator supports more than 80 bits, it's just the web services don't make more bits.

It's worth noting that other TOTP authentication software works with the same sites as Google Authenticator, but are only as secure as the length of the secret key that the web service gives it.


Now, about the vulnerability:

According to the security whitepaper buried in the article OP linked (https://www.threatfabric.com/blogs/2020_year_of_the_rat.html), this is an Android virus. It uses code specific to Android. This is not an iOS virus. And apparently this virus existed since Mid-January this year.

The feature enabling theft of device’s screen lock credentials (PIN and lock pattern) is powered by a simple overlay that will require the victim to unlock the device. From the implementation of the RAT we can conclude that this screen-lock credential theft was built in order for the actors to be able to remotely unlock the device in order to perform fraud when the victim is not using the device.

Definitely sounds like mobile phone malware to me. Note that the use of the word "screen lock". This is only applicable to phones not browsers, as if this was e.g. a Chrome vulnerability it would've been mentioned in the paper. So, this doesn't work for web browser extensions of Authenticator.

What about desktops? Well those are only as safe as the web browser is, as Authenticator for desktops lives in the browser as an addon. No Windows or Linux, or even Chrome or Firefox, vulnerabilities were detailed here so those parts should be safe.

I wonder if the news about 2fa being compromised is true, haven't heard any reaction from Google about this rumor, if it is true then google would be fast enough to react on this and notifiy their users about the incident.

Please don't conflate different types of 2FA together, especially since there isn't really a technical protocol that all 2FA methods use and so you can't say all of 2FA is compromised by a single vulnerability, like the one in the article. Again:

• Only Authenticator for Android is affected
• Other Authenticator platforms are safe from this (for now)
• Even though only Google Authenticator for Android is affected right now, other authentication apps might get targeted in the future. It's only been 6 months since the virus (called Cerberus) was updated with this.
• 2FAs that doesn't use OTP are safe from this

I wish the security company made available the part of the Cerberus code that intercepts the Authenticator 2FA tokens so we would have a clearer idea of what type of information is being stolen right now. Remember that viruses are slow to update they have to be patched at hacking forums for months.


That being said, there is a long list of flaws in SMS 2FAs and I would take OTP based 2FA over SMS 2FA any day. SMS 2FAs have no cryptographic strength over OTPs because the security of SMS 2FAs relies entirely on your carrier to not have telecom engineers who've been bribed by criminals to replace your phone number or intercept your SMS messages. Heck, famous people's accounts have been hacked by people who compromised SMS 2FA. it is very easy to hijack a SIM. The most damning part about SMS authentication is that mobile carriers don't do anything about this.  (Think about it. It's their managers and employees, whose internal decisions can override a complaint you make about their services. That's how much security there is in SMS 2FA.)

And then there are notices like this: T-Mobile Is Sending a Mass Text Warning of ‘Industry-Wide’ Phone Hijacking Scam:



You know a security method is very, very insecure if the only counter-measure operators can take is warning people not to fall for it. This particular message reeks of generic lack-of-concern towards the users when there is a danger with catastrophic consequences going on. Reminds me of Facebook security notices sometimes.


Long story short, SIM 2FA is not secure, and the way OTPs are being used right now is not secure either (web services need to get their act together already). If you ask me I wouldn't use any 2FA until most web services make secret keys at least 128 bits long. I would use a BIP39 passphrase instead. I'm not a security researcher and don't claim to be one, I just thought I would clear up some of the misinformation in this thread.

P.S. link to the security whitepaper that's buried inside the article OP linked, in case you didn't see it above: https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

[Danslip]

As it was mentioned in previous posts, the Google Play Store download count is more than 10 mln+. I doubt the malicious software or Trojan will handle the 60-second time limit for accessing the site unless the source code is extracted from the app. I have used Authy app and this app is more secure than Google's 2FA authentication app.

Long story short, SIM 2FA is not secure, and the way OTPs are being used right now is not secure either (web services need to get their act together already). If you ask me I wouldn't use any 2FA until most web services make secret keys at least 128 bits long. I would use a BIP39 passphrase instead. I'm not a security researcher and don't claim to be one, I just thought I would clear up some of the misinformation in this thread.

P.S. link to the security whitepaper that's buried inside the article OP linked, in case you didn't see it above: https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

Thanks for explanation. Even there are services in Dark web talk about cloning the sim number after finding the latest signal coming from the database. The nearest data center signal is enough to hack the number and forward the incoming SMS. Horrible..

[erikalui]

Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.

[sheenshane]

Honestly, this virus isn't a new story in the industry. Cerberus Android Malware is already been here since the month of June 2019.

The virus was being rented out in the black market last year. It caught the attention of the cyber authorities since then. I heard this malware is originally from Russia. It was also inspired by the malware called Anubis. Maybe they are related to this ransomware and maybe with the same developer.

If you really want a good security, you might try Authy as the alternative. Authy has encrypted backups you can take advantage of. IMO

[Pamadar]

Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.

It' very risky disabling the best protections as of now that we have if we are dealing with securities inside our important wallets online. though chances that it will be breached but updates will follow knowing the creator/developers of this system, it will be a challenge to google protecting those people who
believes in this application. for sure they've already been alarmed from this types of attacks and it will be updated the sooner.

[carlfebz2]

Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.

It' very risky disabling the best protections as of now that we have if we are dealing with securities inside our important wallets online. though chances that it will be breached but updates will follow knowing the creator/developers of this system, it will be a challenge to google protecting those people who
believes in this application. for sure they've already been alarmed from this types of attacks and it will be updated the sooner.

Nothing in this world would really have that 100% security and everything can really be breached as long those hackers do exist.Loopholes are there so
it isnt really surprising for these kind of news but sooner or later they would really patch up that hole fast knowing that Google 2fa do have lots of users
and the developer team/google itself wont really make things worst that will give out bad impressions towards their app.

[squatter]

Honestly, this virus isn't a new story in the industry. Cerberus Android Malware is already been here since the month of June 2019.

Cerberus never contained OTP 2FA exploits before. This is a new development. The new exploit also hasn't been found yet in the current versions of Cerberus floating around on the black market.

If you really want a good security, you might try Authy as the alternative. Authy has encrypted backups you can take advantage of. IMO

Cerberus is Android-specific. It's probably fair to assume that other Android authentication apps will be targeted in the future.

I would remove Android devices from your security setup. I would also avoid logging in to accounts from the same device you receive OTP 2FA codes from.

[Saint-loup]

As it was mentioned in previous posts, the Google Play Store download count is more than 10 mln+. I doubt the malicious software or Trojan will handle the 60-second time limit for accessing the site unless the source code is extracted from the app. I have used Authy app and this app is more secure than Google's 2FA authentication app.

When you say the "source code", you're talking about the seed of the OTP codes?
I disagree with you, one minute is enough for hackers, moreover on some exchanges, the window is larger than that, OTP codes older than one minute still work...  

[NotATether]

Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.

This particular virus can only infect you if you swipe-unlock a fake lock screen on Android. I don't think it can infect you by opening a link, at least from the information I derived from the whitepaper.

[coupable]

Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.

This particular virus can only infect you if you swipe-unlock a fake lock screen on Android. I don't think it can infect you by opening a link, at least from the information I derived from the whitepaper.

This is the most important part on how to be infected. As you checked the whitepaper, can you confirm that all android app can be infected? Means if am using Authy not google authentificator, would Authy also be infected?
Usually, i don't enable screen lock so it will be strange for me to see that lock screen, but if it's not from link/download malware, how the virus can reach my device?

I read all the comments above but still find it hard to believe that the virus is out there since last June and google didn't announce about it as a potential high risk danger neither update its auth app with more security measures.

[NotATether]

This is the most important part on how to be infected. As you checked the whitepaper, can you confirm that all android app can be infected? Means if am using Authy not google authentificator, would Authy also be infected?
Usually, i don't enable screen lock so it will be strange for me to see that lock screen, but if it's not from link/download malware, how the virus can reach my device?

I read all the comments above but still find it hard to believe that the virus is out there since last June and google didn't announce about it as a potential high risk danger neither update its auth app with more security measures.

I don't think there is anything Google can update in Authenticator to stop this particular virus, it's not the weakness of the secret keys being exploited, it's Android itself being hacked. I think they should release a security update for android, and they probably will since this news is bubbling up in mainstream news outlets.

Now that I look at the whitepaper again, it says a lot of things about stealing Google Authenticator secrets, but after reading the other whitepaper at https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html, I see it can make other kinds of fake/phishing input screens, not just fake lock screens. This potentially lets it steal secret data from other apps like Authy. But the Cerberus botnet commanders (it makes a botnet) would have to be interested in stealing Authy secrets before making an "overlay" (fake screen) for that. I think the reason they decided to create a new whitepaper about Cerberus and Google Authenticator is that this new Cerberus can download anything from your filesystem and can make Teamviewer connections to android, so like a remote control. The old version can't do this. Also neither version can be uninstalled which is a common thing for viruses to implement.



These screens are the old version of Cerberus. Old cerberus was released (made available for selling) in June 2019, New Cerberus was released January 2020. As you can see, it can also steal OTPs and other codes by presenting these fake login/data entry screens. My screenshot resolution is a little bad. I don't know how it does an "overlay attack" or if there is a way to tell whether a given screen is fake, but these screens were pasted from the whitepaper, as example fake screens that Cerberus is known to use. In both versions, some Flash Player screen is going to ask you for accessibility privileges in a dialog like this:



Don't give suspicious Flash Player-lookalike apps any permissions. Now would be a good time to reiterate, don't give any apps permissions that they don't need. If someone is foolish enough to give this app permissions, it will give itself even more privileges, and turn off Play Protect. Then it (both old and new Cerberus) will add your device to a botnet which can send these commands (pasted from the whitepaper):

Command	Description
push	Shows a push notification. Clicking on the notification will result in launching a specified app
startApp	Starts the specified application
getInstallApps	Gets the list of installed applications on the infected device
getContacts	Gets the contact names and phone numbers from the address book on the infected device
deleteApplication	Triggers the deletion of the specified application
forwardCall	Enables call forwarding to the specified number
sendSms	Sends a text message with specified text from the infected device to the specified phone number
startInject	Triggers the overlay attack against the specified application
startUssd	Calls the specified USSD code
openUrl	Opens the specified URL in the WebView
getSMS	Gets all text messages from the infected device
killMe	Triggers the kill switch for the bot
updateModule	Updates the payload module (Note: I think this updates the virus)

So you see they can just StartInject any app they want including other authenticators and bam - you get a fake phishing screen. If you're tech savvy then you can check any packages on your phone and make sure there aren't any with these SHA256 hashes:

App name	Package name	SHA256 hash
Flash Player	com.uxlgtsvfdc.zipvwntdy	728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f
Flash Player	com.ognbsfhszj.hqpquokjdp	fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329
Flash Player	com.mwmnfwt.arhkrgajn	ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c
Flash Player	com.wogdjywtwq.oiofvpzpxyo	6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4
Flash Player	com.hvdnaiujzwo.fovzeukzywfr	cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b
Flash Player	com.gzhlubw.pmevdiexmn	3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63

Edit: some more Cerberus hashes:
c3adb0a1a420af392de96b1150f0a23d8826c8207079e1dc268c07b763fe1af7
4ff95cadf83b47d1305f1deb4315e6387c4c0d58a0bdd12f74e866938c48baa5
9d4ce9cce72ec64761014aecbf1076041a8d790771fa8f8899bd3e2b2758281d

Confirmation that they are targeting cryptocurrency services that we use:



Always better to have knowledge of what viruses do so we know what to expect from them, right?