We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

Newly Upgraded Android Malware Can Steal Your Google Authenticator Codes

A man in a dark room with an obscured face, hacking into a phone.
Artem Oleshko/Shutterstock

The Cerebrus Android malware has been around since the middle of 2019, but like all software (good or bad), it keeps improving over time. Researchers at ThreadFabric have been examining a new variant and discovered several frightening capabilities. It can steal your Google Authenticator codes, record your input in banking apps, unlock your phone, and even remotely control it.

When Cerebrus first hit the world in 2019, it was more or less your run of the mill banking trojan. But now it has some serious upgrades. By taking advantage of Android’s accessibility tools, the app can completely take over your phone. It will load TeamViewer for complete control of the phone’s functions, which will let hackers change your settings and more. Essentially, the trojan has taken on the properties of RAT malware.

The malware includes lock screen grabbing tools so bad actors can unlock your phone whenever they want access. It gets worse, as Cerebrus can create overlays that cover your legitimate banking app. You won’t see it, but the overlay will record your inputs—that’d be your username and password.

Usually, we’d say two-factor authentication tools will save you, but not anymore. Cerebrus can record Google Authenticator codes from your phone. That means once you’ve opened your banking app and logged in, they have everything they to break into your account.

They’ll attempt a log into your account, and upon seeing the request for authentication code, pull it up on your phone. That’s, well, horrifying.

There’s some mildly good news, but it just barely qualifies. First, ThreatFabric notes that this variant of Cerebrus doesn’t seem to be live. Rather than spread the malware on their own, the creators prefer to “rent” the software to other people, who, in turn, modify it and try to infect victims.

The creators aren’t even advertising the new capabilities, so it could be that this upgraded malware isn’t fully functional yet. But that could change at any time. The other good news is Cerebrus usually spreads through fake flash installers you might download from a bad website. Be careful about where you go and don’t install apps outside the Google PlayStore, and you should avoid the issue.

Should being the operative word because malware does find its way into the PlayStore occasionally. Even then, be diligent and check what permissions an app needs. If something stands out as strange (like accessibility permissions), think twice before installing it.

via ThreatFabric

Josh Hendrickson Josh Hendrickson
Josh Hendrickson is the Editor in Chief of Review Geek and is responsible for the site's content direction. He has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smart home enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read Full Bio »