Pages:
Author

Topic: A new virus is attacking Google 2FA app (Read 379 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 03, 2020, 07:17:11 AM
#39
This is the most important part on how to be infected. As you checked the whitepaper, can you confirm that all android app can be infected? Means if am using Authy not google authentificator, would Authy also be infected?
Usually, i don't enable screen lock so it will be strange for me to see that lock screen, but if it's not from link/download malware, how the virus can reach my device?

I read all the comments above but still find it hard to believe that the virus is out there since last June and google didn't announce about it as a potential high risk danger neither update its auth app with more security measures.

I don't think there is anything Google can update in Authenticator to stop this particular virus, it's not the weakness of the secret keys being exploited, it's Android itself being hacked. I think they should release a security update for android, and they probably will since this news is bubbling up in mainstream news outlets.

Now that I look at the whitepaper again, it says a lot of things about stealing Google Authenticator secrets, but after reading the other whitepaper at https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html, I see it can make other kinds of fake/phishing input screens, not just fake lock screens. This potentially lets it steal secret data from other apps like Authy. But the Cerberus botnet commanders (it makes a botnet) would have to be interested in stealing Authy secrets before making an "overlay" (fake screen) for that. I think the reason they decided to create a new whitepaper about Cerberus and Google Authenticator is that this new Cerberus can download anything from your filesystem and can make Teamviewer connections to android, so like a remote control. The old version can't do this. Also neither version can be uninstalled which is a common thing for viruses to implement.



These screens are the old version of Cerberus. Old cerberus was released (made available for selling) in June 2019, New Cerberus was released January 2020. As you can see, it can also steal OTPs and other codes by presenting these fake login/data entry screens. My screenshot resolution is a little bad. I don't know how it does an "overlay attack" or if there is a way to tell whether a given screen is fake, but these screens were pasted from the whitepaper, as example fake screens that Cerberus is known to use. In both versions, some Flash Player screen is going to ask you for accessibility privileges in a dialog like this:



Don't give suspicious Flash Player-lookalike apps any permissions. Now would be a good time to reiterate, don't give any apps permissions that they don't need. If someone is foolish enough to give this app permissions, it will give itself even more privileges, and turn off Play Protect. Then it (both old and new Cerberus) will add your device to a botnet which can send these commands (pasted from the whitepaper):

CommandDescription
pushShows a push notification. Clicking on the notification will result in launching a specified app
startAppStarts the specified application
getInstallAppsGets the list of installed applications on the infected device
getContactsGets the contact names and phone numbers from the address book on the infected device
deleteApplicationTriggers the deletion of the specified application
forwardCallEnables call forwarding to the specified number
sendSmsSends a text message with specified text from the infected device to the specified phone number
startInjectTriggers the overlay attack against the specified application
startUssdCalls the specified USSD code
openUrlOpens the specified URL in the WebView
getSMSGets all text messages from the infected device
killMeTriggers the kill switch for the bot
updateModuleUpdates the payload module (Note: I think this updates the virus)

So you see they can just StartInject any app they want including other authenticators and bam - you get a fake phishing screen. If you're tech savvy then you can check any packages on your phone and make sure there aren't any with these SHA256 hashes:

App namePackage nameSHA256 hash
Flash Player  com.uxlgtsvfdc.zipvwntdy728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f
Flash Player  com.ognbsfhszj.hqpquokjdpfe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329
Flash Player  com.mwmnfwt.arhkrgajnffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c
Flash Player  com.wogdjywtwq.oiofvpzpxyo6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4
Flash Player  com.hvdnaiujzwo.fovzeukzywfrcfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b
Flash Player  com.gzhlubw.pmevdiexmn3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63


Edit: some more Cerberus hashes:
c3adb0a1a420af392de96b1150f0a23d8826c8207079e1dc268c07b763fe1af7
4ff95cadf83b47d1305f1deb4315e6387c4c0d58a0bdd12f74e866938c48baa5
9d4ce9cce72ec64761014aecbf1076041a8d790771fa8f8899bd3e2b2758281d


Confirmation that they are targeting cryptocurrency services that we use:



Always better to have knowledge of what viruses do so we know what to expect from them, right?
hero member
Activity: 2338
Merit: 757
Top-tier crypto casino and sportsbook
March 02, 2020, 10:59:22 AM
#38
Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.

This particular virus can only infect you if you swipe-unlock a fake lock screen on Android. I don't think it can infect you by opening a link, at least from the information I derived from the whitepaper.
This is the most important part on how to be infected. As you checked the whitepaper, can you confirm that all android app can be infected? Means if am using Authy not google authentificator, would Authy also be infected?
Usually, i don't enable screen lock so it will be strange for me to see that lock screen, but if it's not from link/download malware, how the virus can reach my device?

I read all the comments above but still find it hard to believe that the virus is out there since last June and google didn't announce about it as a potential high risk danger neither update its auth app with more security measures.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 02, 2020, 08:49:50 AM
#37
Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.

This particular virus can only infect you if you swipe-unlock a fake lock screen on Android. I don't think it can infect you by opening a link, at least from the information I derived from the whitepaper.
legendary
Activity: 2604
Merit: 2353
March 01, 2020, 06:53:58 PM
#36
As it was mentioned in previous posts, the Google Play Store download count is more than 10 mln+. I doubt the malicious software or Trojan will handle the 60-second time limit for accessing the site unless the source code is extracted from the app. I have used Authy app and this app is more secure than Google's 2FA authentication app.
When you say the "source code", you're talking about the seed of the OTP codes?
I disagree with you, one minute is enough for hackers, moreover on some exchanges, the window is larger than that, OTP codes older than one minute still work...  Undecided
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
March 01, 2020, 03:07:37 PM
#35
Honestly, this virus isn't a new story in the industry. Cerberus Android Malware is already been here since the month of June 2019.

Cerberus never contained OTP 2FA exploits before. This is a new development. The new exploit also hasn't been found yet in the current versions of Cerberus floating around on the black market.

If you really want a good security, you might try Authy as the alternative. Authy has encrypted backups you can take advantage of. IMO

Cerberus is Android-specific. It's probably fair to assume that other Android authentication apps will be targeted in the future.

I would remove Android devices from your security setup. I would also avoid logging in to accounts from the same device you receive OTP 2FA codes from.
hero member
Activity: 2926
Merit: 722
DGbet.fun - Crypto Sportsbook
March 01, 2020, 02:44:34 PM
#34
Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.
It' very risky disabling the best protections as of now that we have if we are dealing with securities inside our important wallets online. though chances that it will be breached but updates will follow knowing the creator/developers of this system, it will be a challenge to google protecting those people who
believes in this application. for sure they've already been alarmed from this types of attacks and it will be updated the sooner.
Nothing in this world would really have that 100% security and everything can really be breached as long those hackers do exist.Loopholes are there so
it isnt really surprising for these kind of news but sooner or later they would really patch up that hole fast knowing that Google 2fa do have lots of users
and the developer team/google itself wont really make things worst that will give out bad impressions towards their app.
legendary
Activity: 2982
Merit: 1028
March 01, 2020, 10:39:16 AM
#33
Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.
It' very risky disabling the best protections as of now that we have if we are dealing with securities inside our important wallets online. though chances that it will be breached but updates will follow knowing the creator/developers of this system, it will be a challenge to google protecting those people who
believes in this application. for sure they've already been alarmed from this types of attacks and it will be updated the sooner.
legendary
Activity: 2520
Merit: 1233
March 01, 2020, 10:24:27 AM
#32
Honestly, this virus isn't a new story in the industry. Cerberus Android Malware is already been here since the month of June 2019.

The virus was being rented out in the black market last year. It caught the attention of the cyber authorities since then. I heard this malware is originally from Russia. It was also inspired by the malware called Anubis. Maybe they are related to this ransomware and maybe with the same developer.

If you really want a good security, you might try Authy as the alternative. Authy has encrypted backups you can take advantage of. IMO
legendary
Activity: 2632
Merit: 1094
March 01, 2020, 07:10:15 AM
#31
Malware can always make your phone vulnerable for even mobile apps but attacking Google 2FA is dangerous. I have been using it for almost all the exchanges earlier (gladly haven't saved anything now) but disabling this method doesn't seem an option now. What's the other way out? These exchanges don't support sending OTP to mobiles and only send it to emails which are again insecure.
hero member
Activity: 2058
Merit: 538
Leading Crypto Sports Betting & Casino Platform
February 29, 2020, 07:12:12 PM
#30
As it was mentioned in previous posts, the Google Play Store download count is more than 10 mln+. I doubt the malicious software or Trojan will handle the 60-second time limit for accessing the site unless the source code is extracted from the app. I have used Authy app and this app is more secure than Google's 2FA authentication app.

Long story short, SIM 2FA is not secure, and the way OTPs are being used right now is not secure either (web services need to get their act together already). If you ask me I wouldn't use any 2FA until most web services make secret keys at least 128 bits long. I would use a BIP39 passphrase instead. I'm not a security researcher and don't claim to be one, I just thought I would clear up some of the misinformation in this thread.

P.S. link to the security whitepaper that's buried inside the article OP linked, in case you didn't see it above: https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
Thanks for explanation. Even there are services in Dark web talk about cloning the sim number after finding the latest signal coming from the database. The nearest data center signal is enough to hack the number and forward the incoming SMS. Horrible..
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
February 29, 2020, 03:14:58 PM
#29
Interesting news OP. Let me see if I can dissect it. First it will help to know how Google Authenticator works so we don't, you know, talk about a black box. The knowledge of the protocol of Google Authenticator is publicly known as there used to open-source versions of it. It is now a proprietary app but obviously it must be backward compatible with its older versions because a website using this protocol will needs to accept users using both of these clients. The Google Play Store app is the proprietary version of Authenticator.

I use One Time Passwords (OTPs) generated by Authenticator, with a QR code, to log into university computers so I have at least some knowledge of how Authenticator works.

(Lots of the following content was sourced from https://en.wikipedia.org/wiki/Google_Authenticator)

First of all, this is a vulnerability in Authenticator so it doesn't matter whether you use username/password or QR code to login.

Second, the way Authenticator works is that it takes a 80-bit secret key that a service creates (as I will explain below this is a big security hole) in the form of a base32 (A-Z and 2-7 characters) string, possibly wrapped inside a QR code. If you don't know base32 then all you need to know about it is each character like A, 2, etc. can store 5 bits of entropy so the string ABCDE234 contains 40 bits of entropy. So, it doesn't matter how the secret is imported into Authenticator, it's ultimately the same secret string.

Third, the secret key is passed along with a periodically changing number (Google Authenticator uses TOTP variant of OTP), such as:
I wonder if the news about 2fa being compromised is true, haven't heard any reaction from Google about this rumor, if it is true then google would be fast enough to react on this and notifiy their users about the incident.

Please don't conflate different types of 2FA together, especially since there isn't really a technical protocol that all 2FA methods use and so you can't say all of 2FA is compromised by a single vulnerability, like the one in the article. Again:

  • Only Authenticator for Android is affected
  • Other Authenticator platforms are safe from this (for now)
  • Even though only Google Authenticator for Android is affected right now, other authentication apps might get targeted in the future. It's only been 6 months since the virus (called Cerberus) was updated with this.
  • 2FAs that doesn't use OTP are safe from this

I wish the security company made available the part of the Cerberus code that intercepts the Authenticator 2FA tokens so we would have a clearer idea of what type of information is being stolen right now. Remember that viruses are slow to update they have to be patched at hacking forums for months.



That being said, there is a long list of flaws in SMS 2FAs and I would take OTP based 2FA over SMS 2FA any day. SMS 2FAs have no cryptographic strength over OTPs because the security of SMS 2FAs relies entirely on your carrier to not have telecom engineers who've been bribed by criminals to replace your phone number or intercept your SMS messages. Heck, famous people's accounts have been hacked by people who compromised SMS 2FA. it is very easy to hijack a SIM. The most damning part about SMS authentication is that mobile carriers don't do anything about this.  (Think about it. It's their managers and employees, whose internal decisions can override a complaint you make about their services. That's how much security there is in SMS 2FA.)

And then there are notices like this: T-Mobile Is Sending a Mass Text Warning of ‘Industry-Wide’ Phone Hijacking Scam:



You know a security method is very, very insecure if the only counter-measure operators can take is warning people not to fall for it. This particular message reeks of generic lack-of-concern towards the users when there is a danger with catastrophic consequences going on. Reminds me of Facebook security notices sometimes.



Long story short, SIM 2FA is not secure, and the way OTPs are being used right now is not secure either (web services need to get their act together already). If you ask me I wouldn't use any 2FA until most web services make secret keys at least 128 bits long. I would use a BIP39 passphrase instead. I'm not a security researcher and don't claim to be one, I just thought I would clear up some of the misinformation in this thread.

P.S. link to the security whitepaper that's buried inside the article OP linked, in case you didn't see it above: https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
jr. member
Activity: 118
Merit: 2
The end approaches..What are you doing to prepare?
February 29, 2020, 10:23:12 AM
#28
lol this is something i've been saying for years, * 2fa password schemes are some bullshiT\_@@_/reeeee

Well, it's not just 2FA that has its own weakness. Passwords can be cracked, biometrics can be spoofed and so forth.

At least 2FA adds one layer of security through our phones/ emails.

2FA is an ATTACK VECTOR  Roll Eyes  not an added layer of security.
jr. member
Activity: 352
Merit: 1
February 29, 2020, 05:15:46 AM
#27
It seems 2FA authentification is not totally safe anymore.

A new malware called Cerberus now targets Android-based smartphones by stealing passwords provided by the Google Authenticator app, a new cyber-security report by ThreatFabric states.

As reported by the research group, Cerberus can do something that very few other Trojans are able to – mess with the Google Authenticator app and steal its one-time codes which are often used to secure access to Bitcoin wallets or accounts on digital exchanges.

Until now, this Google app was believed to be the best protection, much more efficient than SMS-based security codes.

https://[Suspicious link removed]day/bitcoin-btc-wallets-may-be-in-danger-as-new-trojan-compromises-google-2fa
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html


Can this be true, I recently couldn't login to an exchange I secured with 2fa even as I still have them. I chatted the customer service and the account was reactivated, only to find out that some of my tokens have been moved out. Though not much but it was really painful
hero member
Activity: 2254
Merit: 537
My passive income eBook @ tinyurl.com/PIA10
February 29, 2020, 02:26:17 AM
#26
lol this is something i've been saying for years, * 2fa password schemes are some bullshiT\_@@_/reeeee

Well, it's not just 2FA that has its own weakness. Passwords can be cracked, biometrics can be spoofed and so forth.

At least 2FA adds one layer of security through our phones/ emails.
legendary
Activity: 3990
Merit: 1385
February 28, 2020, 08:05:48 PM
#25
It's probably a mapping of the Coronavirus into standard programming. I wonder who mapped it this way, and let it loose at Google.

 Grin
sr. member
Activity: 2044
Merit: 314
Vave.com - Crypto Casino
February 28, 2020, 06:07:48 PM
#24
There’s no safe anymore to the hackers, they are working hard to crack every security codes that we have. 2FA is the best so far but if there’s a confirm hacking incidents on this security then people will panic. I hope google will improve the security of 2FA and hoping that android system will become more secure as well, a lot of android users here for sure.
copper member
Activity: 2968
Merit: 575
www.Crypto.Games: Multiple coins, multiple games
February 28, 2020, 05:50:22 PM
#23
No way. I have a lot of accounts with 2FA, almost all of my accounts have it. This is just alarming, never thought that it would be breached like that. Most of the sites offer this as a security, and if this happening a lot of accounts will be hacked so easily since that is the first thing you will put when you log in. I will be removing mine now and renew my passwords.
You don't have to remove it. Do you really think Google Authenticator, a software developed by Google is totally vulnerable to the new virus forever? Of course Google is going to take some steps and put on some patches to make sure that Google Authenticator is safe from all kinds of attack.
Like I said, you don't have to remove authenticator. Just make sure you keep your phone protected and be careful when surfing the internet or downloading files. As long as you don't get your phone infected, you will be safe.
copper member
Activity: 448
Merit: 3
February 28, 2020, 04:14:00 PM
#22
I didn't read your article, but I still 2FA is still very safe to used compared to leaving your exchange or wallets without any form of protection. What is needed if just for 2FA to have more security in third software development.
sr. member
Activity: 2506
Merit: 368
February 28, 2020, 04:06:52 PM
#21
I don't know how much trust able your source is. That article have no strong point or source that can say it's a believe able news. So i'll take it as a hype news until Google confirm about that. But if this is happening then many users are going to be suffer whom use Google 2FA app for their security. And i don't think there is any crypto related person whom don't use this app. According to google play store around 10M+ people use this app. So hope we'll know more details about it in very short time.
I might have to stick with your point as of the moment since google hasn't confirmed anything yet from this so-called 2FA virus in Google Auth. Android viruses aren't just so effective unlike in the windows OS viruses, although viruses are still virus that can cause a problem to our phone especially if we randomly download an unsafe website for the said apps that you want.
jr. member
Activity: 118
Merit: 2
The end approaches..What are you doing to prepare?
February 28, 2020, 03:40:32 PM
#20
lol this is something i've been saying for years, * 2fa password schemes are some bullshiT\_@@_/reeeee
Pages:
Jump to: