Skip to main content

Google 2FA codes could be less secure than thought

(Image credit: Image Credit: CyberHades / Flickr)

Google Authenticator, a popular two-factor authentication app for Android, has had a serious flaw for years, which can be used by attackers to access online bank accounts.

Cybersecurity researchers at ThreatFabric have identified a new variety of Android malware, dubbed Cerberus. It is described as a hybrid between a banking trojan and remote access trojan, and abuses a simple flaw in Google Authenticator discovered years ago.

Although two-factor authentication renders many forms of malware impotent, Cerberus allows attackers to access Authenticator and take a screenshot of the generated code, bypassing the security feature.

According to researchers from Nightwatch Cybersecurity, the flaw is obvious and easily remedied. Authenticator should not allow users to take screenshots, and adding a "FLAG_SECURE" option to the app's configuration would be sufficient to prevent the issue.

The flaw was first spotted in 2014, and Google was again prompted to issue a fix in 2017, but failed to act on the warning.

According to ZDNet, researchers from Nightwatch claim Microsoft’s Android 2FA solution also suffers from the same flaw.

Until the vulnerability is patched, users would be wise to use an alternative 2FA solution to secure online accounts.