A couple of weeks ago, we shared with you that Google Authenticator 2FA codes could be stolen by Android malware. It’s a trojan that could bypass 2FA-protected accounts and has been out even before it was reported last year. A version was said to be able to steal one-time (OTP) passcodes. It takes the content of the interface of an authenticator app and sets the information to a server. The malware is said to be very dangerous and advanced because it acts like remote access trojans.
The code-stealing issue has been there for years. Even the Google Authenticator app is a victim. Information can be screenshotted that may be known by other parties.
Now we’re learning Google could have fixed this problem on the Authenticator app. Unfortunately, it didn’t add the “FLAG_SECURE” option that could be used to make the app more secure. This feature is allowed by Android OS on most apps as protection for users. It actually blocks other programs from screenshotting the content.
Apparently, Google didn’t add this particular flag to the Authenticator’s app. It’s head-scratching because the app handles very sensitive data. Researchers and other devs said Google could have made the fix when the first problem was made known to the public in 2014 and again in the year 2017.
The Google Authenticator app isn’t the only one with this problem. According to the researchers, Microsoft’s version for Android also comes with the same misconfiguration. This means the screen can be screenshotted, allowing information to be shared.
It is recommended by security researchers that Android move on to other 2FA OTP code-generating apps instead of using the Authenticator. Hardware keys are recommended as they offer more secure 2FA authentication.