Flaw That Allows a Malware to Steal 2FA Codes from Google Authenticator Could Have Been Fixed Long Back

The issue with Google Authenticator allowing screenshots was flagged way back in 2014.

Advertisement
By Darab Mansoor Ali | Updated: 9 March 2020 14:19 IST
Highlights
  • Cerberus malware take screenshot of Google Authenticator using RAT
  • Screenshots can be blocked using a simple FLAG_SECURE command
  • The issue was first flagged to Google in 2014

Google Authenticator was launched in 2010, as a safer alternative to sending OTPs over SMS

Last month, a Dutch cyber-security firm ThreatFabric discovered the first-ever malware that could hack Google Authenticator application to extract one-time passcodes from a user's device by taking a screenshot of a user's screen with Google Authenticator open. The malware, named Cerberus, was under development when it was found and the ThreatFabric report did not find any real-world attacks using the malware. Now, a new research has looked into the malware's ability to access the content on a user's screen. It says that this can be easily prevented by using a simple FLAG_SECURE command that prevents any attacker from gaining access to the user's screen content.

The new research from Night Watch Cybersecurity says that many Android applications with higher security requirements also use the FLAG_SECURE protocol. Night Watch Cybersecurity also filed a bug report with Google, which then filed an internal bug. They say that Google has not informed if the bug has been fixed, and that their internal tests reveal that the bug is still present, hence attackers can still take the screenshot of Authenticator on a victim's phone.

Advertisement

The report says that a Github user had flagged the issue way back in 2014. Nightwatch also says that they themselves flagged the issue to Google's security team earlier in 2017 as well. However, all they got was a bounty response the next day. The report also said that the Microsoft Authenticator also comes with the same flaw. Despite them blogging about it in 2018, the issue still remains in the Microsoft application.

The Cerberus malware is a new Android banking trojan that surfaced in 2019. It is a hybrid between a banking trojan and a remote access trojan that allows the attacker to generate OTPs on a victim's Google Authenticator app and take screenshots of the code using the Remote Access Trojan (RAT). It uses a simple technique of taking screenshots of the Authenticator app's interface, the ThreatFabric report had said last month.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Amazon Prime Day 2026: Best Deals on Soundbars From JBL, and More
  2. Amazon Prime Day Deals 2026: Up to 70 Percent Off on These Projectors
  3. Amazon Prime Day 2026: Top Deals on 65-inch Smart TVs
  4. Moto Buds 2 Review: How Much Bass Is Too Much Bass?
  5. Best Mobiles Under Rs. 30,000 in India
  6. Best 5G Phones Under Rs. 15,000 With Long Battery Life in India
  1. Boat Stone 900 Launched in India With Up to 80W Sound Output, Up to 15 Hours Audio Playback: Price, Features
  2. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  3. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  4. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  5. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  6. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  7. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  8. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
  9. Sony Reportedly Restructures Disc Factory After Announcing End of Physical Game Discs on PlayStation
  10. Maharashtra Legislature Passes Amendment to Bring Virtual Digital Assets Under Depositor Protection Law
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.