Advancements in Android Malware Poses New Risks to Bitcoin Users
The cryptocurrency community faces a new security threat as it has been discovered that an Android targeted malware strain can steal the two-factor authentication (also known as 2FA) codes generated by the Google Authenticator app on a victim’s mobile device. In response, users holding accounts held on cryptocurrency exchanges and digital wallets may need to take additional measures to secure their assets and minimize the risk posed by new advancements in modern malware technology.
Popular 2FA apps such as Google Authenticator function in a similar fashion to traditional password managers. The key difference between 2FA generated passwords and traditional password managers is that 2FA only generates a one-time password (OTP). A 2FA OTP can typically only be generated by an authenticator app, thought to make the passcode only accessible to the user of the device. One-time passwords are time-dependent and expire after an elapsed period of time, making the OTPs unusable after the specified time period expires.
While 2FA apps like Google Authenticator do provide users with added security compared to just using a password alone, the benefits of authenticators can be jeopardized if the applications themselves become compromised in attacks by increasingly advanced malware applications. Analysts from Dutch security firm ThreatFabric have been closely monitoring the growing trends in what are known as mobile banking Trojans over the past few years. ThreatFabric was the first to report an increase in the use of malware known as Remote Access Trojans (RAT) to commit financial fraud.
In a recent report, TechFabric warns that the latest version of the Cerberus Android Trojan malware strain is equipped with RAT capabilities. TechFabric says that the updated version of Cerberus that became available on the dark web in January 2020 can obtain 2FA codes generated by Google Authenticator. Hackers and cybercriminals can use stolen 2FA codes to access a victim’s online banking accounts and accounts held on cryptocurrency exchanges and digital wallets. Having access to a user’s 2FA codes can also make the victim vulnerable to having their other personal online accounts (such as their email) hacked as well.
Since its initial arrival in a Russian hacking forum in June 2019, Cerberus has been available to rent by cybercriminals. Prices for renting Cerberus start at $2,000 for one month of access. Once Cerberus has been rented, the customers take control over spreading the malware. The most common malware delivery method is the use of contaminated links in emails and SMS messages.
By taking advantage of the accessibility service privileges on Android phones, the malware has the potential to steal information from any app. When equipped with RAT capabilities, the malware can read and visualize all of the content on a victim’s screen and also interact with that content. Hackers can obtain a similar degree of control over a compromised device as the device’s owner has.
The new features in the January 2020 version of Cerberus included the ability to bypass screen-lock credentials such as PIN codes. The ability to bypass screen-lock credentials would give cybercriminals the ability to unlock an infected device remotely when its owner is not using the device.
Analysts from ThreatFabric say that the latest updates to Cerberus’s RAT related capabilities will also allow a hacker access to the infected devices’ file system. Allowing hackers to download the content contained in an Android device remotely. The new Cerberus can achieve full remote access to a victim’s mobile device by launching Android’s TeamViewer application. By exploiting vulnerabilities in the TeamViewer application, hackers can use any app on a user’s device, including mobile banking, social media, online messaging, and cryptocurrency applications.
It is feared that the newest and yet to be released version of Cerberus will expand upon its existing RAT capabilities. It is believed that the new features and functionality of the more advanced form of Cerberus malware is currently undergoing heavy testing and may become available in underground markets soon.
In the past, online and mobile banking malware was primarily designed to access a victim’s banking information to facilitate various forms of financial fraud. However, over time, many financial institutions and service providers have had success in developing increasingly sophisticated fraud detection mechanisms that have made it more difficult for criminals to commit fraud without being detected.
In response, cybercriminals needed to become increasingly creative in conceiving new ways to circumvent modern financial fraud detection systems. As consumers of financial services continue to shift their preferences towards mobile banking platforms, cybercriminals have responded by developing malware that targets mobile devices to prevent detection. By taking advantage of the increased functionality that Remote Access Trojans offer, criminals have found a new method to avoid detection by gaining the ability to carry out financial transactions directly from a victim’s device.
The most recently updated version of Cerberus currently targets a large number of institutions, including many cryptocurrency exchanges. Combined with the other two prominent Remote Access Trojans (Hydra and Gustaff), 26 cryptocurrency exchanges have been identified as targets, including Coinbase, Binance, and Bitpay. More than 20 crypto wallet providers have also been identified as targets.
The good news for Android users is that the owner of the device needs to be successfully deceived into granting the Trojan access to Google Authenticator’s interface. To trick users into giving Cerberus access, the malware willpretend to be a commonly used app like “Flash Player” and gets the victim to provide it with Android’s accessibility service privileges. The accessibility service privileges were originally intended to help people with disabilities use their Android devices. Android users can help protect themselves by not opening suspicious emails and SMS messages, and by not clicking on any links contained within them.
Additional steps cryptocurrency users can take to prevent an advanced malware attack include:
1- Not downloading apps from outside of the Google Play store as Google checks applications for malware and removes them.
2- It is also recommended that users be cautious and mindful about what permissions an app is requesting when being installed, and to deny access to any requests that look suspicious. Permissions can also be enabled and disabled in the Android settings menu.
3- Users can choose to use an alternative 2FA authenticator such as Authy, which is also available on the Google Play store. Authy said in a tweet that the company is aware of the Cerberus threat and is currently investigating any impact it could have on Authy, adding that they are not aware of any affected users.
4- Authy went on to say, “This class of malware—which only works when downloaded and Android accessibility service permissions are granted by the user—is not new. Authy already has mitigation's in place against some malware exploiting accessibility services.” Adding, “Malware like Cerberus usually rely on screen grabbing capabilities. The Authy Android app does not allow screen grabbing of sensitive data.”
5- Users are encouraged to download anti-malware and anti-virus software such as Malware bytes. Malware protection software can automatically detect and remove malware from an infected device and shield vulnerable systems from an attack. They can also prevent access to and from malicious websites as well as preventing ransomware attacks.
6- One last step cryptocurrency users can take as a potential defense against Remote Access Trojans is to use a physical authentication key. Physical authentication keys such as the FIDO U2F Two Factor Authentication YubiKey require a hacker to have a physical device in their possession that only the owner of an account holds. Minimizing the risk and potential damages of a RAT attack.
7- It is worth noting that if the above options do not meet your needs, you can use an airgapped iPhone on “airplane mode” (so there is not Bluetooth or internet connection) to use exclusively for multi factor authentication.